Key Findings

• Cisco patched four critical vulnerabilities in Identity Services Engine and Webex with CVSS scores ranging from 9.8 to 9.9

• CVE-2026-20184 allows unauthenticated attackers to impersonate any Webex user through improper certificate validation

• CVE-2026-20147, CVE-2026-20180, and CVE-2026-20186 enable authenticated attackers with admin credentials to execute arbitrary code and OS commands

• No evidence of active exploitation in the wild, but immediate patching is strongly recommended

• Cloud-based Webex flaw requires no customer action beyond uploading new IdP SAML certificates for SSO users

Background

Cisco disclosed four critical security flaws affecting its Identity Services Engine and Webex platforms on April 16, 2026. These vulnerabilities represent serious risks to enterprise security, potentially allowing attackers to gain unauthorized system access, execute code remotely, and impersonate legitimate users. The flaws span both cloud-based and on-premises deployments, affecting multiple ISE versions and requiring immediate attention from affected organizations.

Webex SSO Certificate Validation Flaw

CVE-2026-20184 carries a CVSS score of 9.8 and stems from improper certificate validation in Webex's Single Sign-On integration with Control Hub. An unauthenticated remote attacker could exploit this flaw to impersonate any user and gain unauthorized access to Webex services without needing valid credentials.

Since this vulnerability affects Cisco's cloud-based Webex infrastructure, customers do not need to perform system updates. Instead, organizations using SSO authentication should upload a new identity provider SAML certificate to Control Hub as a precautionary measure.

Identity Services Engine Remote Code Execution

CVE-2026-20147 has a CVSS score of 9.9 and affects both Identity Services Engine and ISE Passive Identity Connector. An authenticated attacker possessing valid administrative credentials can execute remote code by sending crafted HTTP requests due to insufficient input validation.

Successful exploitation allows attackers to gain user-level access to the underlying operating system and escalate privileges to root. In single-node ISE deployments, exploitation could render the affected node unavailable, preventing unauthenticated endpoints from accessing the network until service is restored.

ISE Operating System Command Execution

CVE-2026-20180 and CVE-2026-20186 both carry CVSS scores of 9.9 and involve multiple input validation weaknesses in Identity Services Engine. These flaws allow authenticated attackers with read-only admin access to execute arbitrary operating system commands through crafted HTTP requests, bypassing normal access controls.

Like CVE-2026-20147, successful exploitation leads to user-level access and potential privilege escalation to root. The vulnerabilities affect a broader range of admin privilege levels, making them particularly dangerous in environments where administrative access is delegated to multiple users.

Remediation and Patching Requirements

CVE-2026-20147 remediation varies by ISE version. Deployments running releases earlier than 3.1 must migrate to a fixed release. Supported versions require the following patches: 3.1 Patch 11, 3.2 Patch 10, 3.3 Patch 11, 3.4 Patch 6, and 3.5 Patch 3.

For CVE-2026-20180 and CVE-2026-20186, ISE releases earlier than 3.2 require migration to a fixed version. Patched versions are: 3.2 Patch 8, 3.3 Patch 8, 3.4 Patch 4, and 3.5 (not vulnerable). Organizations should prioritize updates immediately despite the absence of reported active exploitation.

Sources

• https://securityaffairs.com/190909/security/cisco-fixed-four-critical-flaws-in-identity-services-and-webex.html

• https://thehackernews.com/2026/04/cisco-patches-four-critical-identity.html

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-rce-traversal-8bYndVrZ

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-cui-cert-8jSZYhWL