The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2022-20965

CVE-2022-20965: Cisco ISE Auth Bypass Vulnerability

CVE-2022-20965 is an authentication bypass vulnerability in Cisco Identity Services Engine that allows authenticated attackers to perform privileged actions. This article covers technical details, affected versions, and mitigation.

Published: February 11, 2026

CVE-2022-20965 Overview

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to take privileged actions within the web-based management interface. This vulnerability is due to improper access control on a feature within the web-based management interface of the affected system.

An attacker could exploit this vulnerability by accessing features through direct requests, bypassing checks within the application. A successful exploit could allow the attacker to take privileged actions within the web-based management interface that should be otherwise restricted.

Critical Impact

Authenticated attackers can bypass access controls and perform privileged administrative actions on Cisco ISE deployments, potentially compromising network access control policies and authentication infrastructure.

Affected Products

  • Cisco Identity Services Engine 2.6.0 (including patches 1-12)
  • Cisco Identity Services Engine 2.7.0 (including patches 1-7)
  • Cisco Identity Services Engine 3.0.0 (including patches 1-6)
  • Cisco Identity Services Engine 3.1 (including patches 1, 3, 4)
  • Cisco Identity Services Engine 3.2

Discovery Timeline

  • January 20, 2023 - CVE-2022-20965 published to NVD
  • November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2022-20965

Vulnerability Analysis

This vulnerability represents a Broken Access Control (CWE-648: Incorrect Use of Privileged APIs) issue within the Cisco Identity Services Engine web-based management interface. The application fails to properly enforce authorization checks when processing direct HTTP requests to privileged functionality.

The flaw allows authenticated users with limited privileges to access administrative features by crafting direct requests to the application endpoints. This bypasses the normal access control mechanisms that would restrict these actions through the standard user interface navigation.

Cisco ISE is a critical network access control solution that manages authentication, authorization, and accounting (AAA) for enterprise networks. Compromise of this system could allow attackers to modify network access policies, manipulate authentication rules, or gain access to sensitive network configuration data.

Root Cause

The root cause of this vulnerability is improper access control implementation on specific features within the web-based management interface. The application relies on client-side controls or inadequate server-side validation to restrict access to privileged functionality. When users make direct HTTP requests to these features, the backend fails to verify whether the authenticated user has the appropriate privilege level to perform the requested action.

This architectural weakness allows low-privileged authenticated users to escalate their access by directly invoking API endpoints or management functions that should only be available to administrators.

Attack Vector

The attack vector is network-based, requiring the attacker to have authenticated access to the Cisco ISE web-based management interface. The exploitation process involves:

  1. An attacker first authenticates to the Cisco ISE web interface with any valid user credentials
  2. The attacker identifies privileged features or API endpoints through reconnaissance
  3. The attacker crafts direct HTTP requests to these endpoints, bypassing the normal UI-based access controls
  4. The server processes these requests without proper authorization validation, executing the privileged actions

This vulnerability does not require user interaction and can be exploited with low attack complexity once authenticated access is obtained.

Detection Methods for CVE-2022-20965

Indicators of Compromise

  • Unusual administrative actions performed by low-privileged user accounts in ISE audit logs
  • Direct API requests to privileged endpoints from non-administrator sessions
  • Unexpected changes to network access policies, authentication configurations, or user permissions
  • HTTP requests to administrative URLs from user sessions that should not have access to those features

Detection Strategies

  • Review Cisco ISE audit logs for privilege escalation attempts and unauthorized administrative actions
  • Monitor for direct HTTP requests to administrative endpoints that bypass normal navigation patterns
  • Implement web application firewall (WAF) rules to detect and alert on direct access attempts to privileged functionality
  • Deploy SentinelOne Singularity to monitor endpoint and network activity for signs of exploitation attempts

Monitoring Recommendations

  • Enable verbose logging on Cisco ISE to capture all administrative actions and user session activities
  • Configure SIEM correlation rules to detect low-privileged users performing administrative operations
  • Regularly audit user permissions and access patterns within the ISE management interface
  • Monitor network traffic to ISE management interfaces for anomalous request patterns

How to Mitigate CVE-2022-20965

Immediate Actions Required

  • Apply the latest security patches from Cisco as described in the official security advisory
  • Restrict access to the ISE web-based management interface to trusted networks only
  • Implement network segmentation to limit who can reach the ISE management plane
  • Review and audit all user accounts with access to ISE, removing unnecessary privileges

Patch Information

Cisco has released security updates to address this vulnerability. Organizations should refer to the Cisco Security Advisory cisco-sa-ise-7Q4TNYUx for specific patch versions and upgrade instructions applicable to their ISE deployment.

Administrators should upgrade to a fixed software release as soon as possible to fully remediate this vulnerability.

Workarounds

  • Limit network access to the ISE management interface using ACLs or firewall rules
  • Implement role-based access control (RBAC) and regularly audit user permissions
  • Use a bastion host or jump server for administrative access to ISE
  • Enable multi-factor authentication (MFA) for all ISE administrative accounts
bash
# Example: Restrict ISE management access using network ACLs
# Apply ACL to limit management interface access to trusted admin networks
ip access-list extended ISE-MGMT-RESTRICT
 permit tcp 10.1.100.0 0.0.0.255 host 10.1.1.10 eq 443
 permit tcp 10.1.100.0 0.0.0.255 host 10.1.1.10 eq 80
 deny ip any host 10.1.1.10

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechCisco Identity Services Engine
  • SeverityMEDIUM
  • CVSS Score5.4
  • EPSS Probability0.20%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-648
  • NVD-CWE-Other
  • Vendor Resources
  • Cisco Security Advisory
  • Related CVEs
  • CVE-2025-20285: Cisco ISE Auth Bypass Vulnerability
  • CVE-2025-20264: Cisco ISE Auth Bypass Vulnerability
  • CVE-2025-20125: Cisco ISE Authorization Bypass Flaw
  • CVE-2024-20537: Cisco ISE Authorization Bypass Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English