Cisco Patches Critical RCE and Impersonation Flaws in ISE and Webex

Cisco has released security advisories addressing five vulnerabilities in its Identity Services Engine (ISE) and Webex Services. Four of these flaws are rated critical, enabling attackers to run arbitrary code or impersonate users. 

Vulnerabilities summary:

• CVE-2026-20184 (CVSS score 9.8) - An improper certificate validation flaw in the Cisco Webex Services SSO integration with Control Hub. Unauthenticated remote attackers can supply crafted tokens to service endpoints to impersonate any user within the service. This allows unauthorized access to legitimate Webex environments without requiring valid credentials.
• CVE-2026-20147 (CVSS score 9.9) - An insufficient input validation vulnerability in Cisco ISE and ISE-PIC. Authenticated attackers with administrative credentials can send crafted HTTP requests to execute arbitrary commands on the underlying operating system. Successful exploitation allows an attacker to gain user-level access and subsequently elevate privileges to root.
• CVE-2026-20180 (CVSS score 9.9) - A command execution vulnerability in Cisco ISE caused by poor validation of user-supplied input. Remote attackers possessing at least Read Only Admin credentials can use crafted HTTP requests to run commands on the device's operating system. This flaw can lead to a complete system takeover with root-level control.
• CVE-2026-20186 (CVSS score 9.9) - An input validation issue in Cisco ISE that allows authenticated attackers with Read Only Admin access to trigger arbitrary command execution. By sending malicious HTTP requests, an attacker can obtain user-level OS access and escalate to root privileges. This vulnerability can also trigger a denial of service condition on single-node deployments.
• CVE-2026-20148 (CVSS score 4.9) - A path traversal vulnerability in Cisco ISE and ISE-PIC. Authenticated attackers with administrative credentials can send crafted HTTP requests to read arbitrary files on the system. This allows for the unauthorized disclosure of sensitive system files and configuration data.

Exploiting the RCE flaws allows attackers to move from a low-privileged administrative session to full root control of the underlying Linux environment. In single-node ISE deployments, such attacks can cause the node to become unavailable, resulting in a denial of service (DoS) where new endpoints cannot authenticate to the network. 

The Webex flaw is equally dangerous, as it allows unauthenticated attackers to bypass SAML certificate checks to impersonate corporate users.

The affected products include:

• Cisco ISE and ISE-PIC versions earlier than 3.1, 3.2, 3.3, 3.4, and 3.5. ISE-PIC is vulnerable to CVE-2026-20147 and CVE-2026-20148. CVE-2026-20180 and CVE-2026-20186 are limited to the standard ISE product.
• Webex Services using trust anchors for SSO integration were also affected until Cisco applied cloud-side updates. 

Organizations should verify their current patch levels against the official Cisco fixed release table to ensure they are no longer exposed.

Administrators should update to ISE 3.1 Patch 11, 3.2 Patch 10, 3.3 Patch 11, 3.4 Patch 6, or 3.5 Patch 3 as appropriate for their deployment. 

For Webex, although the service is cloud-based and has been patched, customers using trust anchors must manually upload a new identity provider (IdP) SAML certificate to the Control Hub to prevent service interruption and maintain security.