Cisco launches critical patches for Webex and ISE: Renews SAML certificates and strengthens SSO to avoid interruptions

Cisco has published patches for four vulnerabilities classified as critical, including a certificate validation failure on its cloud Webex Services platform which, although corrected by the company, forces customers to take additional action to avoid service interruptions.

Webex Services is the Cisco platform for communication and collaboration in hybrid working environments. The most serious problem reported this week is traced as CVE-2026-20184 and affects the single login integration (SSO) with Hub Control, the cloud panel that manages Webex settings. In simple terms, an incorrect validation of tokens allowed a remote attacker to supplicate any user without prior privileges, simply by presenting a tamen manipulated in a service endpoint. You can read Cisco's official explanation in his technical notice here: Cisco Security Advisory - Webex.

Cisco indicates that the Webex service was already updated on its side, but adds that organizations that use SSO should upload a new SAML certificate from your identity provider (ID P) to Hub Control for integration to continue to function properly and to avoid possible interruption of access. The step-by-step instructions for this operation are in the official Webex documentation: Manage SSO integration in Hub Control.

In addition to the Webex failure, Cisco released corrections for three critical vulnerabilities on the Identity Services Engine (ISE) platform, listed as CVE-2026-20147, CVE-2026-20180 and CVE-2026-20186. These vulnerabilities allow the execution of arbitrary commands in the underlying operating system, but require that the attacker already have administrative credentials on the target team. Although the credentials requirement increases the entry barrier, the risk remains high in environments where the administrator accounts are not strictly controlled.

Cisco also points out that, in the series of updates published this week, a dozen additional failures were addressed, including about ten vulnerabilities of average severity that could allow to circumvent authentication, scale privileges or cause service denials. The complete list of notices is available in the public repository of Cisco: Security publications of Cisco. At the moment, the PSIRT team from Cisco has found no evidence of active exploitation of these failures in real attacks.

This set of patches comes in a context in which Cisco's vulnerabilities have been the target of exploitation campaigns in recent months. Last month, the U.S. Infrastructure and Cybersecurity Security Agency (CISA) issued an order for federal agencies to urgently park a maximum severity vulnerability at the Secure Firewall Management Center (CVE-2026-20131), which had been used as zeroday in attacks with the Ransomware Interlock. For more context on exploited vulnerabilities and government response actions, see the catalogue of exploited vulnerabilities by known actors maintained by CISA: Known Exploited Vulnerabilities Catalog (CISA) as well as the entry of the NVD for that CVE: CVE-2026-20131 (NVD).

What should security officials and administrators do right now? First, apply the patches that Cisco publishes as soon as possible giving priority to exposed systems and centralized authentication platforms. In the specific case of Webex with SSO, in addition to applying the correction on the platform, it is essential to follow the Cisco guide and upload the new SAML certificate from the IDP to Hub Control. Before doing so in production, it is appropriate to test the update in a controlled environment and coordinate maintenance windows to minimize the impact on end users.

For ISE facilities, although remote operation requires administrative credentials, the recommendation remains urgent: to park, to review accounts with privileges, to strengthen administrative access with multi-factor authentication and audit records, and to segment the management of critical systems to reduce the attack surface. It is also good practice to audit logs by unusual activity and to review the access controls to the directory and the IDP.

Safety does not end when applying a patch: Rotate certificates and keys, invalidate old sessions and tokens, and validate that SSO integrations work properly are necessary steps to close the cycle. If there are doubts or anomalies are detected, contact the Cisco support and follow the specific recommendations of the safety notice is the right way. Cisco PSIRT's central warning page is a key resource: PSIRT Cisco - notices and bulletins.

In short, these corrections highlight two recurring lessons: identity integrations are an attractive target for power attackers offered by a compromised account, and network and management infrastructure (such as ISE or FMC) require access controls and strict updates. Act now, coordinate changes with identity teams and operations, and keep track of the records is what will make the difference between a routine update and the effective mitigation of a real risk.