Critical Cisco Identity and Webex services vulnerabilities patched; code execution and user impersonation risks resolved
Summary
Hide ▲
Show ▼
Cisco has released patches addressing four critical vulnerabilities (CVSS 9.8–9.9) in Identity Services Engine (ISE) and Webex Services. The flaws include improper certificate validation in Webex SSO integration (CVE-2026-20184) enabling unauthenticated remote attackers to impersonate any user and gain unauthorized access to Webex services, and insufficient input validation in ISE (CVE-2026-20147, CVE-2026-20180, CVE-2026-20186) allowing authenticated remote code execution and command injection with potential root access. CVE-2026-20184 requires customer action—uploading a new SAML certificate for the identity provider (IdP) to Control Hub—to avoid service interruption. Successful exploitation of ISE vulnerabilities could render single-node ISE deployments unavailable, causing a denial of service. As of publication, Cisco PSIRT has no evidence of active exploitation in attacks.
Timeline
-
16.04.2026 14:27 2 articles · 3h ago
Cisco releases critical patches for ISE and Webex services vulnerabilities
Cisco announced patches for four critical vulnerabilities (CVSS 9.8–9.9) in Identity Services Engine (ISE) and Webex Services. The issues include improper certificate validation in Webex SSO integration (CVE-2026-20184) enabling unauthenticated remote attackers to impersonate any user by supplying a crafted token to a service endpoint and gain unauthorized access to Webex services. Cisco reiterates that customers using SSO integration must upload a new SAML certificate for their identity provider (IdP) to Control Hub to avoid service interruption. In ISE, insufficient input validation flaws (CVE-2026-20147, CVE-2026-20180, CVE-2026-20186) allow authenticated remote code execution and command injection with potential root access. Successful exploitation could render single-node ISE deployments unavailable, causing a denial of service. As of publication, Cisco PSIRT has no evidence of active exploitation in attacks.
Show sources
- Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution — thehackernews.com — 16.04.2026 14:27
- Cisco says critical Webex Services flaw requires customer action — www.bleepingcomputer.com — 16.04.2026 15:01
Information Snippets
-
CVE-2026-20184 (CVSS 9.8) in Cisco Webex Services involves improper certificate validation in SSO integration with Control Hub, enabling unauthenticated remote attackers to impersonate any user and gain unauthorized access to Webex services.
First reported: 16.04.2026 14:272 sources, 2 articlesShow sources
- Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution — thehackernews.com — 16.04.2026 14:27
- Cisco says critical Webex Services flaw requires customer action — www.bleepingcomputer.com — 16.04.2026 15:01
-
CVE-2026-20147 (CVSS 9.9) affects Cisco ISE and ISE-PIC, allowing authenticated remote attackers with valid admin credentials to achieve remote code execution via crafted HTTP requests.
First reported: 16.04.2026 14:271 source, 1 articleShow sources
- Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution — thehackernews.com — 16.04.2026 14:27
-
CVE-2026-20180 and CVE-2026-20186 (both CVSS 9.9) in Cisco ISE permit authenticated remote attackers with read-only admin credentials to execute arbitrary commands on the underlying OS via crafted HTTP requests, potentially elevating to root privileges.
First reported: 16.04.2026 14:271 source, 1 articleShow sources
- Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution — thehackernews.com — 16.04.2026 14:27
-
Successful exploitation of ISE vulnerabilities (CVE-2026-20147, CVE-2026-20180, CVE-2026-20186) could render single-node ISE deployments unavailable, causing a DoS and preventing unauthenticated endpoints from accessing the network until recovery.
First reported: 16.04.2026 14:271 source, 1 articleShow sources
- Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution — thehackernews.com — 16.04.2026 14:27
-
CVE-2026-20184 requires no customer action as it is cloud-based, but users are advised to upload a new identity provider (IdP) SAML certificate to Control Hub for SSO configurations.
First reported: 16.04.2026 14:272 sources, 2 articlesShow sources
- Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution — thehackernews.com — 16.04.2026 14:27
- Cisco says critical Webex Services flaw requires customer action — www.bleepingcomputer.com — 16.04.2026 15:01
-
Security updates for ISE include fixes for CVE-2026-20147 in releases 3.1 Patch 11+, 3.2 Patch 10+, 3.3 Patch 11+, 3.4 Patch 6+, and 3.5 Patch 3+, and for CVE-2026-20180/CVE-2026-20186 in releases 3.2 Patch 8+, 3.3 Patch 8+, 3.4 Patch 4+, and 3.5 is not vulnerable.
First reported: 16.04.2026 14:271 source, 1 articleShow sources
- Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution — thehackernews.com — 16.04.2026 14:27
-
CVE-2026-20184 in Webex Services SSO integration with Control Hub allows remote unauthenticated attackers to impersonate any user by supplying a crafted token to a service endpoint
First reported: 16.04.2026 15:011 source, 1 articleShow sources
- Cisco says critical Webex Services flaw requires customer action — www.bleepingcomputer.com — 16.04.2026 15:01
-
Cisco PSIRT has no evidence of exploitation of any of the patched vulnerabilities in attacks as of the publication of this article
First reported: 16.04.2026 15:011 source, 1 articleShow sources
- Cisco says critical Webex Services flaw requires customer action — www.bleepingcomputer.com — 16.04.2026 15:01
Similar Happenings
Cisco SD-WAN Zero-Day Exploited by Highly Sophisticated Threat Actor
A critical zero-day vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN Controller and Manager is being actively exploited by a sophisticated threat actor, tracked as UAT-8616. The flaw allows unauthenticated remote attackers to bypass authentication and gain administrative privileges. The exploitation dates back to 2023, and Cisco has credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD-ACSC) for reporting the vulnerability. The vulnerability has a CVSS score of 10.0, indicating maximum severity. Cisco is actively tracking the exploitation and post-compromise activities associated with this flaw. The threat actor is described as highly sophisticated, and the exploitation has been ongoing for some time.
Critical Authentication Bypass in Cisco Catalyst SD-WAN Exploited Since 2023
A critical authentication bypass vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN has been actively exploited in zero-day attacks since at least 2023. The flaw allows remote attackers to compromise controllers and add malicious rogue peers to targeted networks. The vulnerability stems from a peering authentication mechanism that does not work properly, enabling attackers to log in as high-privileged users and manipulate network configurations. Cisco has released specific software updates to address the issue, and CISA has issued an emergency directive requiring federal agencies to patch affected systems by February 27, 2026. Attackers have been found to leverage the built-in update mechanism to stage a software version downgrade and escalate to the root user by exploiting CVE-2022-20775, and have taken steps to clear evidence of the intrusion by purging logs and command history. Additionally, Cisco has flagged two more Catalyst SD-WAN Manager security flaws (CVE-2026-20128 and CVE-2026-20122) as actively exploited in the wild, urging administrators to upgrade vulnerable devices. CVE-2026-20128 is an information disclosure issue affecting the Data Collection Agent (DCA) feature, allowing an authenticated, local attacker to gain DCA user privileges. CVE-2026-20122 is an arbitrary file overwrite bug affecting the API, allowing a remote, authenticated attacker to overwrite arbitrary files and gain elevated privileges. Cisco Talos has linked the attacks exploiting CVE-2026-20127 to UAT-8616, a highly sophisticated threat actor active since at least 2023. Cisco has also released updates to address two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software: CVE-2026-20079 and CVE-2026-20131.
Critical RADIUS Authentication Flaw in Cisco Secure Firewall Management Center
Cisco has disclosed and patched multiple critical vulnerabilities across its product portfolio, including a newly identified Integrated Management Controller (IMC) authentication bypass flaw (CVE-2026-20093) that allows unauthenticated attackers to gain Admin access to unpatched systems. Additionally, Cisco addressed a critical remote code execution (RCE) vulnerability in its Smart Software Manager On-Prem (SSM On-Prem) (CVE-2026-20160) that enables attackers to execute commands with root-level privileges. Earlier in March 2026, Cisco released security updates for two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software: an authentication bypass flaw (CVE-2026-20079) granting root access and an RCE vulnerability (CVE-2026-20131) allowing arbitrary Java code execution. Notably, the Interlock ransomware gang exploited CVE-2026-20131 in zero-day attacks, prompting CISA to add it to its catalog of exploited vulnerabilities and mandate federal agencies to remediate within three days. Cisco also published a bundled set of 25 security advisories addressing 48 vulnerabilities across multiple enterprise networking products, including high-severity issues in ASA Firewall, Secure FMC, and Secure FTD appliances.