Cisco has published corrections for four critical vulnerabilities that affect its Identity Services (ISE) services and Webex Services related functions. These failures potentially allow from remote code execution until an attacker passes through any user within the service, with consequences ranging from loss of integrity in a session to complete system control taking or generation of service denials.
The risk is high and concrete: one of the vulnerabilities (referred to as CVE-2026-20184) is related to the incorrect validation of certificates in the integration of SSO with Hub Control in Webex Services, which could allow an unauthenticated attacker to plant identities within the service. Three other (CVE-2026-20147, CVE-2026-20180 and CVE-2026-20186) are input validation errors in Cisco ISE and the Passive Identity Connector (ISE-PIC) component that, in different privilege scenarios, allow from remote code execution to the execution of commands in the underlying operating system and post-root elevation.
According to Cisco's safety notice, a successful exploitation of ISE vulnerabilities could even cause a node in single node deployments to stop being available, causing a state of denial of service in which equipment that has not previously authenticated could not access the network until the node is restored. Cisco points out that, for the moment, it has no indication of active exploitation of these failures, but strongly recommends that published updates be implemented as soon as possible. The official communiqué and recommendations of Cisco are available at its security centre: Cisco Security Advisories.
With regard to specific actions, vulnerability CVE-2026-20184 is managed from the cloud and does not require customers to apply a software patch; however, Cisco advises organizations using SSO to load a new SAML certificate from their identity provider (IDP) in Hub Control to mitigate the user supplanting vector. For problems affecting ISE and ISE-PIC, Cisco has released corrections in specific versions: CVE-2026-20147 is solved in versions such as ISE 3.1 (with 3.1 Patch 11), 3.2 (Patch 10), 3.3 (Patch 11), 3.4 (Patch 6) and 3.5 (Patch 3); vulnerabilities CVE-2026-20180 and CVE-2026-20186 are corrected in ISE 3.2 (Patch 8), 3.3 (Patch 8), 3.4 (Patch 4) and do not affect 3.5. If a version prior to those mentioned is used, Cisco recommends migrating to a corrected version as soon as possible. The product support page is available for download information and updates guides for ISE: Cisco Identity Services Engine - Support.
Beyond installing patches, it is appropriate to take complementary mitigation measures: to review records and telemetry in search of abnormal behaviors that match exploitation attempts, to restrict administrative access and to audit accounts with privileges, to make backup before applying updates and to test patches in pre-production environments where possible to avoid unexpected impacts. It is also recommended to renew the SAML certificates and validate the SSO configuration to minimize the risk of supplanting, taking as a reference good practices on SAML and identity control. Resources on good practice in identity management and entry validation are available from the NIST and the OWASP community: NVD (NIST) and OWASP - Validation of Entries.
From an operational perspective, security teams should prioritize the instances exposed to the Internet and the nodes in single node topology, as in these environments the operation could have an immediate operational impact on network access. If there are doubts as to whether an installation is affected, it is appropriate to consult Cisco's technical notices and, if necessary, open a case with support to obtain specific guidance on the temporary update or mitigation.
The usual dynamics in these scenarios are clear: even if there is no public evidence of exploitation at present, the failures with remote and supplanting capacity represent a risk window too wide to postpone the corrections. Update systems, validate SSO configurations and audit administrative accounts should be at the top of the task list of any safety or network management officer using Cisco ISE or Webex Services.
Finally, keeping the asset inventory up-to-date and establishing response processes that include detection, containment and recovery will help reduce the impact if an organization detects an attempt at intrusion. To keep up with public alerts and official CVE entries, you can also follow the NIST vulnerability database and Cisco PSIRT's own news on its security portal.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...