Cisco disclosed two vulnerabilities in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) on June 17, 2026, that chain into a complete unauthenticated-to-root-shell compromise requiring no prior credentials. CVE-2026-20190 allows credential harvesting without authentication; CVE-2026-20181 converts those credentials into root-level OS command execution. Because ISE is the network access control and policy enforcement hub for enterprise and government networks, a successful exploit grants an adversary control over who and what is admitted to the network. No workarounds exist; patching is the only remediation.