🌐 Network

Four Critical Cisco Flaws: Webex SSO User Impersonation (CVSS 9.8) and ISE Root Code Execution (CVSS 9.9)

Cisco patched four critical vulnerabilities across Webex Services and Identity Services Engine. CVE-2026-20184 allows unauthenticated attackers to impersonate any Webex user via crafted SSO tokens. Three ISE flaws at CVSS 9.9 let read-only admins execute arbitrary commands as root. Webex deployments with SSO require urgent manual action β€” Cisco's cloud fix is not sufficient without administrator intervention.

5 min read
#cisco#webex#identity-services-engine#sso#rce#authentication-bypass#saml#certificate-validation#critical#ise

Cisco’s April 15, 2026 advisory release included four critical-severity vulnerabilities spanning two widely deployed enterprise platforms: Webex Services and Identity Services Engine (ISE). Together they represent a significant attack surface across collaboration infrastructure and network access control. None of the four CVEs have confirmed active exploitation at time of writing, but the combination of low exploitation barriers and the strategic value of ISE in network segmentation architectures makes these high-priority remediation targets.

CVE-2026-20184: Webex SSO User Impersonation (CVSS 9.8)

The highest-profile vulnerability in this batch affects Webex Services’ integration with Cisco Control Hub through single sign-on. The flaw β€” classified as improper certificate validation (CWE-295) β€” means the Webex SSO endpoint does not correctly verify the authenticity of SAML tokens presented during authentication. An unauthenticated remote attacker who supplies a crafted token can be accepted as any legitimate Webex user within the organisation’s deployment, gaining unauthorised access to meetings, recorded content, messaging, and any Webex integrations tied to the impersonated account.

The CVSS 9.8 rating reflects the combination of: network-reachable attack vector, no authentication required, no user interaction required, and full authentication bypass impact. Cisco has patched the server-side vulnerability on the Webex cloud infrastructure, but this fix is not sufficient on its own for organisations using SSO. Administrators must manually regenerate their identity provider (IdP) SAML certificate and upload the new certificate to Cisco Control Hub. Until this action is completed, the SSO integration remains vulnerable to the token manipulation attack. This manual remediation step applies to all Webex enterprise deployments using SSO regardless of whether any incident has been observed.

CVE-2026-20180 and CVE-2026-20186: ISE Read-Only Admin to Root (CVSS 9.9)

Two related vulnerabilities in Cisco Identity Services Engine share a root cause: insufficient validation of user-supplied input in ISE API request handling. An authenticated attacker with read-only administrator credentials can send crafted HTTP requests to trigger arbitrary OS command execution under root privileges. In single-node ISE deployments, successful exploitation may render the affected ISE node unavailable, creating a denial-of-service condition in addition to full OS compromise.

The low authentication bar is the critical concern here. Read-only ISE admin access is commonly delegated to helpdesk staff, security monitoring teams, and third-party managed service providers β€” accounts that would not typically be treated as high-risk. An attacker who compromises any of these accounts, or who has already obtained credentials through phishing or credential theft, can escalate directly to root on the ISE node.

ISE’s strategic role compounds the risk: as the network access control system, a compromised ISE can be used to approve or deny access for any endpoint on the network, manipulate network segmentation policy, and grant unauthorised devices elevated access. All ISE versions on branches 3.2, 3.3, 3.4, and 3.5 are affected, as are versions prior to 3.2.

CVE-2026-20147: ISE Full Admin to Root (CVSS 9.9)

The third ISE vulnerability follows the same command injection pattern but requires full administrative credentials rather than read-only access. An authenticated attacker with valid ISE admin credentials sends crafted HTTP requests and achieves root-level code execution on the underlying operating system. The CVSS 9.9 score, despite the higher privilege requirement, reflects that ISE admin accounts are shared among a broader population than might be assumed, and that the escalation from ISE admin to OS root represents a significant privilege boundary violation beyond what the administrative role is intended to grant.

Why ISE Compromise Is High-Consequence

Cisco ISE functions as the policy decision point for network access across enterprise environments. A compromised ISE can:

  • Grant unauthorised devices network access: override posture checks and allow non-compliant or unmanaged endpoints onto internal segments
  • Modify network segmentation policy: alter SGT (Security Group Tag) assignments, effectively collapsing segment boundaries
  • Expose authentication traffic: ISE handles RADIUS and TACACS+ authentication for network devices; root access exposes all credentials and session data in transit
  • Serve as a pivot point: ISE maintains authenticated sessions with network infrastructure; root access may enable lateral movement to managed switches, wireless controllers, and firewalls

ISE is not an internet-facing service in most deployments, but initial access via compromised credentials or a phishing-obtained session provides sufficient leverage to reach it.

  • Webex SSO deployments (urgent β€” manual action required): Log into Cisco Control Hub, navigate to SSO settings, regenerate your IdP SAML certificate, and upload the new certificate. This step is mandatory regardless of Cisco’s cloud-side patch and cannot be performed by Cisco on your behalf.
  • Cisco ISE (patch immediately): Apply the latest available patch release on your current ISE branch. Cisco has released fixes across all affected branches (3.2, 3.3, 3.4, 3.5). Cross-reference the advisory cisco-sa-ise-rce-traversal-8bYndVrZ for exact patched versions per branch.
  • Audit read-only ISE admin accounts: Identify all accounts with read-only ISE administrator access. Apply strict account hygiene β€” disable unused accounts, enforce MFA, and review third-party MSP access grants.
  • Monitor ISE API logs: Look for anomalous HTTP requests to ISE management endpoints from unexpected source addresses or at unusual hours. Alert on any ISE node entering an unexpected restart or unavailability condition.
  • Restrict ISE management interface exposure: Confirm that ISE administrative interfaces are only reachable from defined management network segments β€” not from the general enterprise LAN or from any network that could be reached by a phishing-compromised workstation.

Share this article