Issues Encountered

Issues

ID	Description	Severity	Status	Notes
PENTEST-POSTURE-ACL-001	Posture redirect ACL permits Kerberos (88), SMB (445), LDAP (389) before posture completes — credential harvesting window via evil twin AP	CRITICAL	🟡 Pending CR	Zero-trust ACL designed; awaiting change approval. See Posture ACL Remediation.
CVE-2026-20029	ISE ERS API XXE vulnerability — CHLA on ISE 3.2P5 (affected)	HIGH	⚠️ Verify	ISE 3.2P8 upgrade scheduled Feb 10-12. Confirm completion. See ISE CVE Patching.
MSCHAPv2-WEAKNESS	6,088 devices authenticating via MSCHAPv2 — vulnerable to offline dictionary attacks on captured challenge/response	HIGH	🟡 In progress	5-wave migration to EAP-TLS. See MSCHAPv2 Migration Project.
DACL-ORDERING	dACL rule ordering error — RFC1918 deny before ISE posture permit causes endpoint lockout	MEDIUM	✅ Resolved	Fixed in V5 dACL. Specific permits now precede broad denies.
NO-NATIVE-FTD-ESTREAMER	Firepower Threat Defense lacks native eStreamer for SIEM — syslog-only integration path	MEDIUM	✅ Resolved	Syslog forwarding configured to SIEM. CEF format normalized.
ISENSIX-DHCP-DACL	Isensix BMS controller missing dACL — device receives unrestricted network access after MAB	MEDIUM	🟡 Identified	Discovered Jan 22. dACL required for IoT/BMS policy set.
Q2-2026-TBD-001	Reserved — Q2 Mandiant assessment finding 1	TBD	❌ Pending	Awaiting formal report
Q2-2026-TBD-002	Reserved — Q2 Mandiant assessment finding 2	TBD	❌ Pending	Awaiting formal report
Q2-2026-TBD-003	Reserved — Q2 Mandiant assessment finding 3	TBD	❌ Pending	Awaiting formal report

Description

Severity

Status

Notes

PENTEST-POSTURE-ACL-001

Posture redirect ACL permits Kerberos (88), SMB (445), LDAP (389) before posture completes — credential harvesting window via evil twin AP

CRITICAL

🟡 Pending CR

Zero-trust ACL designed; awaiting change approval. See Posture ACL Remediation.

CVE-2026-20029

ISE ERS API XXE vulnerability — CHLA on ISE 3.2P5 (affected)

HIGH

⚠️ Verify

ISE 3.2P8 upgrade scheduled Feb 10-12. Confirm completion. See ISE CVE Patching.

MSCHAPv2-WEAKNESS

6,088 devices authenticating via MSCHAPv2 — vulnerable to offline dictionary attacks on captured challenge/response

HIGH

🟡 In progress

5-wave migration to EAP-TLS. See MSCHAPv2 Migration Project.

DACL-ORDERING

dACL rule ordering error — RFC1918 deny before ISE posture permit causes endpoint lockout

MEDIUM

✅ Resolved

Fixed in V5 dACL. Specific permits now precede broad denies.

NO-NATIVE-FTD-ESTREAMER

Firepower Threat Defense lacks native eStreamer for SIEM — syslog-only integration path

MEDIUM

✅ Resolved

Syslog forwarding configured to SIEM. CEF format normalized.

ISENSIX-DHCP-DACL

Isensix BMS controller missing dACL — device receives unrestricted network access after MAB

MEDIUM

🟡 Identified

Discovered Jan 22. dACL required for IoT/BMS policy set.

Q2-2026-TBD-001

Reserved — Q2 Mandiant assessment finding 1

TBD

❌ Pending

Awaiting formal report

Q2-2026-TBD-002

Reserved — Q2 Mandiant assessment finding 2

TBD

❌ Pending

Awaiting formal report

Q2-2026-TBD-003

Reserved — Q2 Mandiant assessment finding 3

TBD

❌ Pending

Awaiting formal report