Cisco Security Update Summary.

---

Remote code execution (RCE) and path traversal vulnerabilities in the Cisco Identity Services Engine (ISE) and ISE-PIC product families have been addressed. CVE-2026-20147 is an RCE vulnerability that affects both Cisco ISE and ISE-PIC, and CVE-2026-20180 and CVE-2026-20186 are RCE vulnerabilities in Cisco ISE.

Affected Versions.

---

the list of affected versions is as follows.

• CVE-2026-20147: Cisco ISE and ISE-PIC before 3.1 and the 3.1, 3.2, 3.3, 3.4, and 3.5 series are affected.
• CVE-2026-20180, CVE-2026-20186: Cisco ISE before 3.2 and the 3.2, 3.3, 3.4, and 3.5 series are affected.

Patch version.

---

the patch and fix versions provided are as follows.

• CVE-2026-20147 Patch versions: 3.1 Patch 11, 3.2 Patch 10, 3.3 Patch 11, 3.4 Patch 6, 3.5 Patch 3, and ISE-PIC migrations to the same patch set or modified versions.
• CVE-2026-20180-CVE-2026-20186 Patch versions: 3.2 Patch 8, 3.3 Patch 8, 3.4 Patch 4, or migration to a modified version.

Impact and Advisory.

---

the impact and advisories are as follows.

• the primary impact of the vulnerability is privilege escalation and possible service disruption due to remote arbitrary code execution and access to system files.
• users of affected versions are advised to upgrade to the patch number provided by the manufacturer or migrate to a fixed version.
• in addition, complementary mitigation measures such as restricting access to the administrator interface and monitoring logs for anomalies are recommended.

for additional information and detailed guidance, customers are encouraged to consult the official Cisco advisory. references include links to Cisco security advisories.