Security Experts:

Connect with us

Hi, what are you looking for?



Cisco ISE Vulnerabilities Can Be Chained in One-Click Exploit

Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow remote attackers to inject arbitrary commands, bypass existing security protections, or perform cross-site scripting (XSS) attacks.

Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow remote attackers to inject arbitrary commands, bypass existing security protections, or perform cross-site scripting (XSS) attacks.

An identity-based network access control (NAC) and policy enforcement system, Cisco ISE allows administrators to control endpoint access and manage network devices.

A total of four vulnerabilities have been identified by a researcher in ISE, the exploitation of all requiring an attacker to be a valid and authorized user of the ISE system.

The most severe of these vulnerabilities is CVE-2022-20964, a command injection bug in ISE’s web-based management interface tcpdump feature. The high-severity bug exists because user input is not properly validated.

“An attacker with privileges sufficient to access the tcpdump feature could exploit this vulnerability by manipulating requests to the web-based management interface to contain operating system commands,” Cisco explains in an advisory.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system. If chained with other flaws, the bug could allow the attacker to elevate privileges to root and potentially take over the vulnerable system.

According to Yoroi security researcher Davide Virruso, who discovered the vulnerabilities, Cisco underscored the impact that CVE-2022-20964 has on confidentiality, integrity, and availability, given that the security flaw can be exploited to gain root shell on the operating system.

By chaining CVE-2022-20964 with CVE-2022-20959, an XSS flaw in ISE that Cisco patched in October, an attacker could easily obtain a remote root shell on the vulnerable system, the security researcher told SecurityWeek.

“It only takes one click of the victim on the link to get a shell as the system root user,” Virruso said.

Tracked as CVE-2022-20965, another bug is described as an access bypass in the web-based management interface. According to Virruso, this access control issue expands the attack surface of the chained exploits, exposing many users to attacks.

By exploiting this vulnerability, “an authenticated, remote attacker is able to perform downloads of files generated by the function, leading to the disclosure of information that he or she should not be able to access,” Yoroi explains.

The remaining security defects – CVE-2022-20966 and CVE-2022-20967 – could lead to XSS attacks. The two flaws were identified in the tcpdump and External RADIUS Server features of the web-based management interface, respectively.

An attacker exploiting these vulnerabilities could store malicious HTML or script code within the application interface and use that code for XSS attacks.

Cisco says that patches addressing these vulnerabilities are planned for the first quarter of 2023, in the form of Cisco ISE releases 3.1p6 and 3.2p1.

The tech giant encourages customers to contact it for hot patches and says that it is also evaluating the possible release of patches for ISE versions 2.7 and 3.0.

Virruso told SecurityWeek that proof-of-concept (PoC) code targeting these vulnerabilities will be published next year. In its advisory, Cisco warns that the PoC will likely become available after patches are released.

Related: Cisco Patches 33 Vulnerabilities in Enterprise Firewall Products

Related: Cisco Patches High-Severity Bugs in Email, Identity, Web Security Products

Related: Citrix Patches Critical Vulnerability in Gateway, ADC

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.