CRITICAL: Cisco Drops Patches for Four Critical Flaws in ISE and Webex: One Lets Attackers Impersonate Anyone

If your organization runs Cisco Identity Services Engine or relies on Webex for communication, this week just got more interesting. Cisco released patches for four critical vulnerabilities that affect both products, and the severity scores tell you everything you need to know about how seriously you should take them. We are looking at CVSS ratings of 9.8 and 9.9 across the board, with one flaw allowing attackers to impersonate any user in Webex and the other three enabling remote code execution on ISE deployments.

Network administrators managing enterprise environments know how central ISE has become to modern access control strategies. It handles authentication, authorization, and policy enforcement for everything from employees connecting to the corporate network to contractors accessing guest resources. When a vulnerability lets an attacker with read-only admin credentials execute arbitrary commands and escalate to root, that is not a theoretical problem. That is a path to complete network compromise.

The first vulnerability, tracked as CVE-2026-20184, carries a CVSS score of 9.8 and affects how Webex Services handles single sign-on integration with Control Hub. The root cause is improper certificate validation during the SSO authentication process. An unauthenticated remote attacker can exploit this flaw to impersonate any user within the service, effectively gaining unauthorized access to legitimate Cisco Webex sessions without needing valid credentials.

Think about what that means in practice. An attacker does not need to steal passwords or compromise user accounts. They can simply bypass the authentication mechanism entirely and masquerade as whoever they want. In organizations where sensitive discussions happen over Webex, where deal negotiations, legal consultations, or strategic planning sessions take place over video calls, that is an uncomfortable amount of access for an outsider to have.

The silver lining here is that this vulnerability exists in cloud-based infrastructure, which means Cisco can remediate it on their end. Customers using SSO integration do not need to deploy patches themselves, but they do need to take one action. Cisco recommends uploading a new identity provider SAML certificate to Control Hub to ensure the vulnerability cannot be exploited against your environment. If you have been putting off certificate rotation, now is the time.

The remaining three vulnerabilities all affect Cisco's Identity Services Engine and its Passive Identity Connector component. Each one stems from insufficient validation of user-supplied input in HTTP request handling, and each one can lead to remote code execution.

CVE-2026-20147 scores a near-perfect 9.9 on the CVSS scale. An authenticated attacker with valid administrative credentials can send specially crafted HTTP requests to execute code on the underlying operating system. The attack chain starts with user-level access but does not stop there. Successful exploitation allows privilege escalation to root, giving the attacker complete control over the ISE node.

CVE-2026-20180 and CVE-2026-20186 follow the same pattern but with an even lower barrier to entry. These flaws can be exploited by anyone with read-only admin credentials. In many enterprise environments, read-only accounts get handed out more liberally than full administrative access. Security teams often create these accounts for auditing purposes, for help desk staff who need visibility without control, or for third-party vendors who need to troubleshoot issues. The assumption has always been that read-only means harmless. These vulnerabilities prove that assumption wrong.

What makes these ISE vulnerabilities particularly concerning is the cascading impact of successful exploitation. Cisco explicitly warns that in single-node ISE deployments, an attack could take down the entire node. When ISE goes offline, any endpoints that have not already authenticated lose network access entirely. For organizations that rely on ISE as their primary network access control solution, that means employees locked out of systems, applications unreachable, and business operations grinding to a halt until someone restores service.

None of these vulnerabilities have been observed in active exploitation yet, according to Cisco's advisory. That is good news, but it should not breed complacency. Critical vulnerabilities with publicly documented exploitation paths do not stay theoretical for long. Security researchers will dissect these patches to understand what changed, and that reverse engineering process often produces working exploit code within days or weeks.

The authentication requirements for the ISE vulnerabilities provide some protection. An attacker needs valid credentials to launch these attacks, which means they either need to compromise an admin account first or already have insider access. But credential theft happens constantly, whether through phishing campaigns, password spraying, or buying stolen credentials from darkweb marketplaces. The organizations most at risk are those where admin accounts have weak passwords, where multi-factor authentication is not enforced for administrative access, or where former employees still have active credentials.

The Webex vulnerability presents a different risk profile because it requires no authentication at all. Any attacker who can reach the SSO integration endpoint can attempt exploitation. For organizations using Webex across distributed workforces, where employees connect from home networks and coffee shops and airport lounges, that attack surface is broader than anyone would like.

Cisco has released patches across multiple ISE versions. For CVE-2026-20147, fixes are available starting with ISE 3.1 Patch 11. Organizations running ISE 3.2 should apply Patch 10, those on ISE 3.3 need Patch 11, ISE 3.4 requires Patch 6, and ISE 3.5 users should install Patch 3. Anyone still running ISE versions earlier than 3.1 needs to migrate to a supported release because Cisco is not backporting these fixes to end-of-life software.

The patches for CVE-2026-20180 and CVE-2026-20186 follow a similar pattern but start with ISE 3.2. Patch 8 addresses these flaws for ISE 3.2 deployments, Patch 8 covers ISE 3.3, and Patch 4 handles ISE 3.4. Organizations already running ISE 3.5 are not vulnerable to these particular flaws, which suggests Cisco may have addressed the underlying code issues during that version's development cycle.

For the Webex certificate validation issue, the fix is already deployed on Cisco's cloud infrastructure. Customers need to generate and upload a new IdP SAML certificate through Control Hub to complete the remediation process. Cisco provides documentation walking through this process, and it is straightforward enough that most administrators should be able to complete it in under an hour.

Every organization has a patching backlog. Every IT team has more work than hours in the day. But vulnerabilities scoring 9.8 and 9.9 out of 10 deserve immediate attention. These are not the kind of bugs where you can wait for the next maintenance window or bundle them into quarterly updates. The combination of remote code execution potential, privilege escalation to root, and the possibility of complete service denial makes these patches a priority.

If you are running ISE and cannot patch immediately, consider what compensating controls you have in place. Review which accounts have administrative access, even read-only access, and confirm that all of them use strong authentication. Look at your network segmentation to understand what an attacker could reach if they compromised an ISE node. Think about your incident response procedures and whether your team would recognize the signs of ISE exploitation.

For Webex users, the certificate rotation is your action item. It is quick, it is low-risk, and it closes a door that should never have been open in the first place.

The broader lesson from this week's Cisco advisories is one the security community keeps learning over and over. Enterprise infrastructure, the products we trust to enforce security policies and manage access control, can itself become the attack vector. When the tools meant to protect your network contain critical vulnerabilities, attackers do not need to find weaknesses in your applications or trick your users. They can go straight for the infrastructure and work their way out from there.

Patch these flaws. Rotate your certificates. And maybe take a few minutes to review what other critical infrastructure in your environment has not been updated lately. These four vulnerabilities were disclosed responsibly and patched promptly. The next ones might not be.