Cisco fixed four critical flaws in Identity Services and Webex

Cisco fixed four critical flaws in Identity Services and Webex that could allow code execution and user impersonation.

Cisco has addressed four critical vulnerabilities affecting its Identity Services and Webex platforms. The flaws could allow attackers to execute arbitrary code and impersonate any user within the affected services. The issues pose serious security risks, prompting urgent updates to protect systems and prevent potential exploitation.

Below are the descriptions of the flaws:

• CVE-2026-20184 (CVSS 9.8): An improper certificate validation issue in Webex SSO integration with Control Hub could allow an unauthenticated remote attacker to impersonate any user and gain unauthorized access to Webex services.
• CVE-2026-20147 (CVSS 9.9): An input validation flaw in Identity Services Engine (ISE) and ISE-PIC could let an authenticated attacker with admin credentials execute remote code via crafted HTTP requests.
• CVE-2026-20180 / CVE-2026-20186 (CVSS 9.9): Input validation issues in ISE could allow attackers with read-only admin access to execute arbitrary OS commands using crafted HTTP requests.

Cisco says it has no evidence of public disclosure or active exploitation of these vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco)