Identity, SSO/MFA, Application security

Cisco patches critical bugs in Webex, ISE

Logo of CISCO, an American multinational digital communications technology conglomerate corporation headquartered in San Jose, California.

Cisco on April 15 released a series of patches for critical bugs that affected Webex and Identity Services Engine (ISE).

Security experts warned that while the Webex bug may get the spotlight, teams should not overlook the ISE flaw on Cisco’s security policy management platform because it’s exactly what attackers want.

“This is at least the fourth round of critical ISE disclosures in the past 18 months, and that pattern matters,” said Rogier Fischer, chief executive officer at Hadrian. “Agentic AI tools are accelerating the rate at which new vulnerabilities surface, and security teams are rationing attention across more CVEs than they can properly prioritize. ISE keeps getting rolled up under the bigger brand name. That’s exactly the dynamic threat actors exploit.”

The critical 9.8 Webex bug — CVE-2026-20184 — impacts the single sign-on (SSO) integration with Control Hub and could let a remote attacker impersonate any user within the well-known video conferencing service. 

CVE-2026-20180 and CVE-2026-20186 — the two main 9.9 ISE flaws — could let remote, authenticated attackers that have read-only admin rights execute remote code execution (RCE) on the underlying operating system of an affected device. CVE-2026-20147 — also a 9.9 flaw —  lets attackers with admin privileges execute an RCE on the OS of an affected device.  

Jason Soroko, senior fellow at Sectigo, said the Webex vulnerability’s main danger is absolute trust manipulation. By exploiting a flawed certificate validation process, Soroko said an attacker can forge an authentication token and impersonate any user in sensitive environments such as government agencies and financial institutions.

“Security teams should treat this as an identity crisis rather than a routine software bug, because the initial patch stays incomplete until customers manually upload a new SAML certificate to their Control Hub,” said Soroko.

Soroko added that the ISE flaws present a different, but equally severe threat that often goes unnoticed. An attacker needs administrative credentials to trigger these exploits, but Soroko said a single compromised account grants full command execution on the underlying operating system of the organization’s core security policy platform.

“Administrators should apply the patches and audit privileged access controls to stop threat actors from weaponizing the infrastructure meant to protect the network,” said Soroko. ​​​​​​​​​​​

Hadrian’s Fischer said Webex may have faded from the consumer spotlight, but Cisco Calling still serves more than 18 million active users globally, processing around 8 billion calls a month across financial services, government, consulting, and media.

“But while WebEx grabs the headlines, the three ISE vulnerabilities disclosed alongside it deserve equal if not greater attention,” said Fischer. “Each has a CVSS score of 9.9, enables remote code execution, and ISE sits at the heart of how enterprises decide who gets on their network. Compromising it doesn’t just give an attacker a foothold, it gives them the keys to the castle.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds