CVE-2026-20147

CVE-2026-20147 is a critical-severity vulnerability with a CVSS 3.x base score of 9.9. Its EPSS exploit-prediction score of 11% places it in the 95th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-77.

Key facts

Description

A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of this vulnerability could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored.

Frequently asked questions

What is CVE-2026-20147?
A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of this vulnerability could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored.
How severe is CVE-2026-20147?
CVE-2026-20147 has a CVSS 3.x base score of 9.9, rated critical severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2026-20147 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 11% (95th percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2026-20147?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
Does CVE-2026-20147 have an EU (EUVD) identifier?
Yes. CVE-2026-20147 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-22962.
When was CVE-2026-20147 published?
CVE-2026-20147 was published on 2026-04-15 and last updated on 2026-06-17.

References

Other CWE-77 (Command Injection) vulnerabilities

Browse all CWE-77 (Command Injection) vulnerabilities →