This is very common in Cisco products
Cisco is great at making products on top of Linux and Apache tools, but they are utterly useless at securing Linux and Apache tools. Currently dozens (maybe more) Linux kernel exploits work against ISE since Cisco doesn't enable configuration of RHEL updates on those boxes. As a result, they are very often very vulnerable. They also are wide open to Tomcat attack vectors because the version of Tomcat running on ISE is ancient and unmatched.
As for root passwords... install ISE on KVM twice (or more) and mount the qcow images on a Linux box after. You'll find that the password for root is the same on all those images. While ssh access as root appears to be disabled, there are a few other accounts with the same issue.
I don't even want to talk about Prime. It's a disaster with these regards.
Surprisingly enough APIC-EM for now seems ok, but that's because about 90% of the APIC-EM platform is a Linux containers host called grapevine. I think the people who worked on that were somewhat more competent (I believe they're mostly European, not the normal 50 programmers/indentured servants for the price of 1 that Cisco typically uses).
I haven't started hacking on IOS-XE... I actually don't look for these bugs. I just write a lot of code against Cisco systems and it seems like every 5 minutes there's another security disaster waiting to happen. They have asked me to help them resolve them but it would require hundreds of hours of my time to file bug reports and I can't waste work hours on solving their problems for them.
Oh... if you're thinking "oh my god, I have to dump Cisco", don't bother, the only boxes currently I would trust for security is white box and unless you know how to assemble a team of system level software and hardware engineers (no... that really smart guy you know from college doesn't count) you should steer clear of those. The companies who use those successfully are the same ones who designed them.
Cisco, you need a bug bounty program. Even if I could make $100 for each bug I stumble on, I would invest the half hour-hour it takes to write a meaningful bug report. Then you can fix this stuff before it ends up a headline.