Multiple critical Cisco flaws

A login system is the front door for cloud software, and Cisco said a flaw in Webex could have let outsiders walk through it as any user. (sec.cloudapps.cisco.com) Cisco published that advisory on April 15, 2026 and rated it critical with a CVSS score of 9.8. The bug, tracked as CVE-2026-20184, affected Webex Services when single sign-on was set up in Control Hub with trust anchors, and Cisco said an attacker could supply a crafted token after improper certificate validation. (sec.cloudapps.cisco.com) Single sign-on means one identity provider handles logins for many apps, and Webex manages that setup in its Control Hub admin console. Cisco’s own help pages tell administrators to use Control Hub for certificate management, including updating identity-provider SAML certificates. (help.webex.com; help.webex.com) Cisco said the Webex-side fix was not enough for every customer. Organizations using trust anchors still need to upload a new identity provider SAML certificate to Control Hub to avoid service interruption, and Cisco said there is no workaround for that case. (sec.cloudapps.cisco.com) Cisco also disclosed critical flaws on April 15 in Identity Services Engine, or ISE, the product many companies use to decide which users and devices can join a network. Cisco describes ISE as an identity-based network access control and policy engine, and two separate April 15 advisories gave the new bugs CVSS scores of 9.9. (cisco.com; sec.cloudapps.cisco.com; sec.cloudapps.cisco.com) One advisory covers CVE-2026-20147 and CVE-2026-20148 in Cisco ISE and Cisco ISE Passive Identity Connector, or ISE-PIC. Cisco said an attacker with valid administrative credentials could use crafted HTTP requests to run code or traverse paths on an affected device, and a successful attack on a single-node deployment could knock that node offline and block new endpoints from joining the network. (sec.cloudapps.cisco.com) A second advisory covers CVE-2026-20180 and CVE-2026-20186 in Cisco ISE only. Cisco said an attacker with at least Read Only Admin credentials could execute commands on the underlying operating system, gain user-level access, and then elevate privileges to root. (sec.cloudapps.cisco.com) The practical split is important for defenders. The Webex bug could be exploited without logging in, while the ISE bugs required administrative credentials, but ISE sits in the part of the network that decides who gets access in the first place. (sec.cloudapps.cisco.com; sec.cloudapps.cisco.com; sec.cloudapps.cisco.com) Cisco said it had released software updates for the ISE issues and had already addressed the Webex service flaw, but both ISE advisories said there were no workarounds. For Webex customers using trust anchors, Cisco’s instruction was more specific: check the single sign-on configuration in Control Hub and replace the identity provider certificate if needed. (sec.cloudapps.cisco.com; sec.cloudapps.cisco.com; sec.cloudapps.cisco.com) Cisco’s product security team said it was not aware of public announcements or malicious use of the Webex flaw as of the advisory update on April 16. The immediate job for customers is narrower and less glamorous: verify whether their Webex setup uses trust anchors, and patch ISE before an admin account turns into root access. (sec.cloudapps.cisco.com; sec.cloudapps.cisco.com)