← CIO Briefings · Critical Impact ACTION REQUIRED

Critical Cisco Webex SSO and Identity Services Engine Vulnerabilities Require Immediate Action

Four critical Cisco vulnerabilities patched April 15 demand urgent enterprise response. CVE-2026-20184 (CVSS 9.8) enables unauthenticated user impersonation in Webex — Cisco's cloud fix is insufficient without administrator action. Three ISE vulnerabilities at CVSS 9.9 allow read-only admins to achieve root code execution on the network access control system underpinning enterprise segmentation.

4 min read
#NIS2#DORA

Situation

Cisco disclosed and patched four critical-severity vulnerabilities on 15 April 2026, affecting two widely deployed enterprise platforms: Webex Services and Identity Services Engine (ISE). None have been observed exploited in the wild as of this brief, but the severity ratings (CVSS 9.8 and 9.9), the ubiquity of both platforms, and the low exploitation barriers make these among the highest-priority patches released this month.

CVE-2026-20184 (CVSS 9.8 — Webex SSO): An improper certificate validation flaw in Webex’s SSO integration with Control Hub allows an unauthenticated remote attacker to present a crafted SAML token and be authenticated as any user within the organisation’s Webex tenant. The attacker gains full access to that user’s meetings, recordings, messages, and any Webex-integrated applications. Cisco has patched the Webex cloud infrastructure, but this fix does not protect enterprise customers unless administrators manually regenerate and upload a new SAML certificate in Control Hub. The remediation step is an administrator-only action.

CVE-2026-20180 and CVE-2026-20186 (CVSS 9.9 — Cisco ISE): Two related insufficient-input-validation vulnerabilities in ISE allow an attacker with read-only administrator credentials to send crafted HTTP requests that execute arbitrary commands with root privileges on the ISE appliance. Read-only admin access is routinely delegated to helpdesk, monitoring teams, and managed service providers — accounts that are not typically treated as high-risk.

CVE-2026-20147 (CVSS 9.9 — Cisco ISE): The same OS command injection vulnerability pattern is present for full ISE admin credentials, providing an escalation path from the ISE management interface to full OS root access.

Business Impact

Webex is the enterprise collaboration platform. User impersonation allows an attacker to access confidential meetings and communications of any targeted individual — executives, board members, legal counsel, M&A teams — without any visible sign of intrusion. Recorded meetings and shared files are accessible. Integrations with CRM, project management, and document platforms connected to the impersonated user account may also be reachable.

Cisco ISE is the network access control system used to enforce segmentation between network zones, manage endpoint compliance checks, and authenticate users and devices on the internal network. A compromised ISE node provides:

  • Control over which endpoints are admitted to which network segments — enabling an attacker to grant unauthorised devices internal access
  • Access to RADIUS/TACACS+ authentication traffic for network devices — exposing infrastructure credentials
  • The ability to flatten network segmentation by modifying Security Group Tag (SGT) assignments
  • Potential pivot access to managed network infrastructure (switches, wireless controllers, firewalls) that maintain trust relationships with ISE

In practice, ISE compromise provides an attacker operating from any internal device with significantly more capability than they started with. Combined with another initial access vector (phishing, VPN credential theft), ISE becomes a force multiplier that undermines the network controls that contain a breach.

Immediate Actions Required

  1. Webex SSO certificate rotation (TODAY — all SSO deployments): Log into Cisco Control Hub as an administrator. Navigate to SSO settings. Regenerate the identity provider (IdP) SAML certificate. Upload the new certificate. This is mandatory — Cisco’s cloud-side fix does not complete the remediation without this administrator action.

  2. Cisco ISE — patch all nodes immediately: Apply Cisco’s patched release for your ISE branch (3.2, 3.3, 3.4, or 3.5). Reference Cisco Security Advisory cisco-sa-ise-rce-traversal-8bYndVrZ for the specific patched version per branch. Patch all ISE primary administration nodes, secondary nodes, and Policy Service Nodes — not just the primary.

  3. Audit ISE read-only administrator accounts: Pull the current list of read-only ISE admin accounts. Disable accounts that are no longer actively used. Enforce MFA for all ISE administrative access (read-only and full admin). Review third-party MSP access grants — if an MSP has read-only ISE access, confirm that access is still required and scoped to the minimum necessary.

  4. Restrict ISE management interface network access: Confirm that the ISE administration portal is accessible only from a dedicated management network or jump host with MFA enforced, not from general enterprise LAN segments reachable from user workstations.

  5. Monitor ISE for anomalous API activity: Alert on unexpected HTTP requests to ISE management endpoints from unfamiliar source addresses. Alert on any ISE node entering an unexpected service-unavailable or restart condition.

For Board or Executive Briefing

Cisco has patched critical vulnerabilities in two systems we rely on: Webex (our video conferencing and messaging platform) and Identity Services Engine (the system that controls who and what can access different parts of our network). One of the Webex vulnerabilities requires our IT team to take a specific manual action today — until they do, an attacker could impersonate any employee on Webex. The network access control vulnerability requires urgent patching; it would allow an attacker who gains access to a low-privilege network management account to take control of the system that enforces our network boundaries. Both are being addressed with urgency.