Cisco Identity Services Engine carries a chained two-CVE attack path disclosed June 17, 2026: an unauthenticated information disclosure flaw (CVE-2026-20190, CVSS 7.5) exposes hashed administrative credentials, which can then be cracked or relayed to exploit an authenticated RCE vulnerability (CVE-2026-20181, CVSS 9.1) on the same appliance. ISE sits at the center of network access control policy, meaning a successful compromise gives an attacker the ability to manipulate NAC decisions, forge authentication, and move laterally with near-unrestricted network access. Full patches for ISE 3.5 are not available until August 2026, creating an extended compensating-control window for the largest current release track.