ISE CVE Patching
ISE CVE-2026-20029 Patching
CVE Details
| Field | Value |
|---|---|
CVE ID |
CVE-2026-20029 |
Severity |
HIGH |
Type |
XML External Entity (XXE) Injection |
Component |
ISE External RESTful Services (ERS) API |
Affected Versions |
ISE 3.1, 3.2, 3.3 (pre-patch) |
Fixed In |
ISE 3.2 Patch 8, ISE 3.3 Patch 3 |
CHLA Version |
ISE 3.2 Patch 5 (vulnerable) |
CHLA Exposure Assessment
Overall exposure: LOW
| Factor | Detail |
|---|---|
API Accounts |
5 service accounts provisioned (no user accounts) |
External Access |
None — ERS API restricted to management VLAN only |
Credential Rotation |
Quarterly (90-day) rotation enforced for all service accounts |
Authentication |
Basic auth with IP-based source restriction; MFA required for admin console |
Attack Surface |
Attacker must already have management VLAN access to reach ERS API |
Despite the HIGH CVSS rating, the combination of network segmentation, limited accounts, and access controls reduces the practical risk significantly. However, patching remains mandatory per CHLA vulnerability management policy.
Mitigations In Place
These controls reduce risk while awaiting the patch:
-
Firewall rules — ERS API source IPs restricted to authorized management stations
-
Rate limiting — API endpoint rate limiting configured to detect automated exploitation
-
Audit logging — All ERS API calls logged to ISE Monitoring & Troubleshooting (MnT) node
-
Account monitoring — Service account usage reviewed weekly for anomalous patterns
Patch Plan
| Field | Value |
|---|---|
Target Version |
ISE 3.2 Patch 8 |
Maintenance Window |
February 10-12, 2026 |
Duration |
3-day window (upgrade + validation) |
Rollback Plan |
Repository backup on each node pre-upgrade |
Upgrade Sequence
-
PPAN (Primary Policy Administration Node) — upgrade first, verify replication
-
SPAN (Secondary Policy Administration Node) — upgrade, verify HA failover
-
PSNs (Policy Service Nodes) — rolling upgrade, one at a time, verify auth flow between each
Action Checklist
| Action | Detail | Status |
|---|---|---|
iTrack CR submitted |
Change request for ISE 3.2P8 upgrade |
✅ Done |
Maintenance window scheduled |
Feb 10-12, 2026 — coordinated with NOC |
✅ Done |
Pre-upgrade backup |
Repository backup on PPAN, SPAN, all PSNs |
❌ Pending (day-of task) |
Upgrade PPAN |
Primary admin node first |
❌ Pending |
Upgrade SPAN |
Secondary admin node, verify HA |
❌ Pending |
Upgrade PSNs |
Rolling upgrade, verify auth between each |
❌ Pending |
Post-upgrade validation |
ERS API functional test, auth flow test, replication check |
❌ Pending |
CVE verification |
Confirm XXE no longer exploitable on ERS API |
❌ Pending |
Documentation |
Update ISE version tracker, close CR |
❌ Pending |
Status
|
VERIFY — The February 10-12 maintenance window has passed. Confirm whether the ISE 3.2 Patch 8 upgrade was completed successfully. Check:
|