Cisco says critical Webex Services flaw requires customer action

Summary

Cisco released security updates addressing four critical vulnerabilities, including CVE-2026-20184 in Webex Services that allows unauthenticated remote attackers to impersonate any user via improper certificate validation in SSO integration with Control Hub. Customers using SSO must manually upload a new SAML certificate to their identity provider to prevent service interruption. The company also patched three critical flaws in Identity Services Engine (ISE) requiring administrative credentials for exploitation, plus ten medium-severity issues affecting authentication and privilege escalation.

Full text

Cisco says critical Webex Services flaw requires customer action By Sergiu Gatlan April 16, 2026 08:01 AM 0 Cisco has released security updates to patch four critical vulnerabilities, including a fixed improper certificate validation flaw in the company's cloud-based Webex Services platform that requires further customer action. Webex Services is a customer experience platform that unifies communication across hybrid work environments, enabling team members to call, meet, and message each other from any location or device. Tracked as CVE-2026-20184, the Webex vulnerability was found in the single sign-on (SSO) integration with Control Hub (a web-based portal that helps IT admins manage Webex settings) and allows remote attackers with no privileges to impersonate any user. "Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by connecting to a service endpoint and supplying a crafted token," Cisco explained in a Wednesday advisory. "A successful exploit could have allowed the attacker to gain unauthorized access to legitimate Cisco Webex services." While the company has already addressed this security flaw in the Cisco Webex service, it warned customers who use SSO integration that they must upload a new SAML certificate for their identity provider (IdP) to Control Hub to avoid service interruption. On Wednesday, the company also patched three critical security flaws (CVE-2026-20147, CVE-2026-20180, and CVE-2026-20186) in the Identity Services Engine (ISE) security policy management platform. Attackers could exploit these vulnerabilities to execute arbitrary commands on the underlying operating system regardless of device configuration; however, successful exploitation requires administrative credentials on the targeted systems. The complete list of security issues addressed this week also includes 10 medium-severity flaws that can be abused to bypass authentication, escalate privileges, and trigger denial-of-service states. Cisco also added that its Product Security Incident Response Team (PSIRT) had no evidence that any of them had been exploited in attacks. Last month, the Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch a maximum-severity vulnerability (CVE-2026-20131) in Cisco's Secure Firewall Management Center (FMC) that had been exploited as a zero-day in Interlock ransomware attacks since late January 2026. Automated Pentesting Covers Only 1 of 6 Surfaces. Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation. Get Your Copy Now Related Articles: Hackers exploit React2Shell in automated credential theft campaignCISA orders feds to patch max-severity Cisco flaw by SundayRansomware gang exploits Cisco flaw in zero-day attacks since JanuaryCisco fixes critical pre-auth bugs in SD-WAN, cloud license managerCisco fixes bug allowing remote code execution with root privileges

Indicators of Compromise

• cve — CVE-2026-20184
• cve — CVE-2026-20147
• cve — CVE-2026-20180
• cve — CVE-2026-20186
• cve — CVE-2026-20131

Entities