# Cisco Releases Emergency Patches for Four Critical Identity and Webex Vulnerabilities Enabling Code Execution


Cisco has issued security patches addressing four critical vulnerabilities affecting its Identity Services and Webex platforms that could allow attackers to execute arbitrary code and impersonate any user within affected services. The flaws represent a significant threat to enterprise deployments relying on Cisco's widely-used communication and identity infrastructure.


## The Threat


The vulnerabilities disclosed by Cisco span both its Identity Services Engine (ISE) and Webex service offerings, creating a dual-front attack surface for organizations using these platforms for authentication and collaboration. The most severe of these flaws—CVE-2026-20184—stems from improper certificate validation in the single sign-on (SSO) integration layer, a critical pathway for user authentication across enterprise systems.


The impersonation vector is particularly concerning. By exploiting these vulnerabilities, an authenticated attacker could bypass standard authentication mechanisms to assume the identity of legitimate users, including administrative accounts. This capability directly contradicts the foundational trust model of enterprise identity systems and could allow attackers to gain lateral movement within organizational networks, access sensitive data, or perform administrative actions without detection.


The arbitrary code execution impact elevates the severity further. Combined with the impersonation capability, these flaws create a complete compromise scenario where an attacker could not only gain unauthorized access but also maintain persistence through code execution on affected systems. For organizations leveraging Cisco's solutions as central identity and communication hubs, the blast radius extends across any system relying on these platforms for authentication decisions.


## Severity and Impact


| Identifier | CVSS Score | Vector String | Attack Complexity | Authentication | Impact |

|---|---|---|---|---|---|

| CVE-2026-20184 | 9.8 (Critical) | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Low | None | Code Execution, User Impersonation |

| CVE-2026-20185 | 8.9 (Critical) | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N | Low | None | Credential Disclosure |

| CVE-2026-20186 | 8.6 (Critical) | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N | Low | Required | Data Exfiltration |

| CVE-2026-20187 | 8.2 (Critical) | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N | Low | None | Session Hijacking |


All four vulnerabilities are classified as critical with network-accessible attack vectors and low attack complexity, meaning they can be exploited remotely without significant technical barriers. The combination of these flaws creates multiple pathways for attackers to compromise identity systems and establish unauthorized access.


## Affected Products


Cisco Identity Services Engine (ISE):

  • ISE 3.0 through 3.2.x
  • ISE 2.7.x and earlier versions

    • Cisco Webex Services:

  • Webex Meetings (all versions prior to 44.2.0)
  • Webex Teams (versions before 44.1.0)
  • Webex Contact Center (versions 2.x and earlier)

    • Related Components:

  • Cisco Webex Board series
  • Cisco Webex Room devices (Pro, Room Kit, etc.)
  • Cisco Secure Access Control Services (ACS) 5.8 and 5.9

    • Organizations should verify their current versions against the affected ranges provided above. Webex deployments are particularly widespread in enterprise environments, suggesting a potentially large attack surface.


    ## Mitigations


    Immediate Actions:


    Organizations should prioritize the following steps in order:


    1. Apply Security Patches Immediately — Cisco has released patches for all affected platforms. ISE users should upgrade to version 3.3.0 or later. Webex administrators should update Meetings to 44.2.0+, Teams to 44.1.0+, and Contact Center to 3.0+. Patch deployment should be treated as an emergency priority given the critical CVSS scores and network-accessible vectors.


    2. Verify User Authentication Logs — Review Identity Services and Webex access logs for suspicious authentication patterns, including failed authentication attempts, administrative account usage from unusual locations, or impossible travel scenarios (users appearing to log in from geographically distant locations within improbable timeframes).


    3. Enforce Network Segmentation — Restrict network access to Identity Services Engine administration interfaces and Webex services to trusted administrative networks only. Implement IP-based access controls limiting SSO integration connections to known, authorized systems.


    4. Deploy MFA Beyond SSO — While these vulnerabilities compromise SSO mechanisms, implementing multi-factor authentication (MFA) at the application level provides additional protection. Enforce MFA on all critical systems even if they receive authentication from SSO.


    Longer-Term Protections:


  • Implement continuous monitoring and alerting for abnormal authentication patterns, including sudden privilege escalations or administrative actions occurring outside business hours
  • Conduct a comprehensive audit of administrator accounts and reduce the number of users with sensitive privileges
  • Establish a formal patch management process that treats critical (CVSS 9+) vulnerabilities as emergency deployments requiring out-of-cycle updates
  • Consider deploying additional authentication layers such as certificate-based authentication or push-based MFA providers independent of SSO systems

    • ## References


  • [Cisco Security Advisory: Identity Services Engine and Webex Vulnerabilities](https://sec.cloudapps.cisco.com)
  • [Cisco ISE Security Updates](https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-security-advisories-listing.html)
  • [Cisco Webex Security Center](https://www.cisco.com/c/en/us/support/collaboration-endpoints/webex-meetings/products-security-advisories-listing.html)
  • [CVE-2026-20184 Details](https://nvd.nist.gov/vuln/detail/CVE-2026-20184)

    • ---


    Bottom Line: Organizations running Cisco Identity Services or Webex should treat these patches as emergency deployments. The combination of remote exploitability, arbitrary code execution, and user impersonation capabilities creates significant risk for any enterprise relying on these platforms. Patch now, verify logs for compromise indicators, and reinforce authentication controls across dependent systems.