INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Cisco Fixes Identity Services and Webex Flaws
| 2026-04-16 19:19 CRITICAL HIGHExecutive Summary AI-generated
The recent incident data reveals a critical flaw in Cisco's Identity Services and Webex, allowing attackers to execute arbitrary code and impersonate any user within the affected services. The vulnerabilities were identified as four critical flaws in Identity Services Engine (ISE) and ISE-PIC, which could be exploited remotely via crafted HTTP requests. These exploits have been patched by Cisco, but customers are advised to upload a new SAML certificate for their identity provider (IdP) to Control Hub to avoid service interruption. The company has also warned that no evidence of exploitation was found in attacks, indicating the potential severity of this vulnerability.
Technical Mitigations AI-generated
* Implement secure authentication and authorization: Ensure that all users have strong, unique passwords and that access to sensitive data is restricted to necessary personnel. Implement multi-factor authentication (MFA) whenever possible.
* Keep operating systems and software up-to-date: Regularly update operating systems, browsers, and other software to ensure that known vulnerabilities are patched before they can be exploited by attackers.
* Use secure protocols for communication: Use HTTPS or SFTP instead of HTTP when transferring sensitive data over the internet. This will help prevent eavesdropping and tampering with data in transit.
* Monitor system logs and perform regular security audits: Regularly review system logs to detect potential security incidents, such as unauthorized access attempts or suspicious activity. Perform regular security audits to identify vulnerabilities and weaknesses in systems and applications.
* Implement a secure patch management process: Develop a plan for applying patches to all affected systems and software, including testing and verification of the effectiveness of each patch before deploying it to production environments.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-20184CVE-2026-20184
CVE-2026-20186CVE-2026-20186
CVE-2026-20180CVE-2026-20180
CVE-2026-20147CVE-2026-20147
CVE-2026-20131CVE-2026-20131
Target & Sectors
Global Scope
Incident Timeline
late January 2026
Threat actors exploited a zero-day vulnerability in Cisco's Secure Firewall Management Center (FMC) to target Interlock ransomware attacks.
Click on any entity below to view its context and source!
tactic
Ransomware
Last month, the Cybersecurity and Infrastructure Security Agency (CISA)
ordered federal agencies
to patch a maximum-severity vulnerability (CVE-2026-20131) in Cisco's Secure Firewall Management Center (FMC) that had been exploited as a zero-day
in Interlock ransomware attacks
since late January 2026.
vulnerability
CVE-2026-20131
Last month, the Cybersecurity and Infrastructure Security Agency (CISA)
ordered federal agencies
to patch a maximum-severity vulnerability (CVE-2026-20131) in Cisco's Secure Firewall Management Center (FMC) that had been exploited as a zero-day
in Interlock ransomware attacks
since late January 2026.
attribution
Secure Firewall Management Center
Last month, the Cybersecurity and Infrastructure Security Agency (CISA)
ordered federal agencies
to patch a maximum-severity vulnerability (CVE-2026-20131) in Cisco's Secure Firewall Management Center (FMC) that had been exploited as a zero-day
in Interlock ransomware attacks
since late January 2026.
2026/03/17
Threat actors exploited a maximum-severity vulnerability in Cisco's Secure Firewall Management Center (FMC) to target Interlock ransomware attacks.
Click on any entity below to view its context and source!
tactic
Ransomware
Last month, the Cybersecurity and Infrastructure Security Agency (CISA)
ordered federal agencies
to patch a maximum-severity vulnerability (CVE-2026-20131) in Cisco's Secure Firewall Management Center (FMC) that had been exploited as a zero-day
in Interlock ransomware attacks
since late January 2026.
vulnerability
CVE-2026-20131
Last month, the Cybersecurity and Infrastructure Security Agency (CISA)
ordered federal agencies
to patch a maximum-severity vulnerability (CVE-2026-20131) in Cisco's Secure Firewall Management Center (FMC) that had been exploited as a zero-day
in Interlock ransomware attacks
since late January 2026.
attribution
Secure Firewall Management Center
Last month, the Cybersecurity and Infrastructure Security Agency (CISA)
ordered federal agencies
to patch a maximum-severity vulnerability (CVE-2026-20131) in Cisco's Secure Firewall Management Center (FMC) that had been exploited as a zero-day
in Interlock ransomware attacks
since late January 2026.
Apr 16, 2026
Threat actors exploited four critical vulnerabilities in Cisco's Identity Services and Webex to gain unauthorized access.
2026/04/16
Cisco fixed four critical flaws in Identity Services and Webex.
Click on any entity below to view its context and source!
organisation
Identity Services
Cisco fixed four critical flaws in Identity Services and Webex
Cisco fixed four critical flaws in Identity Services and Webex that could allow code execution and user impersonation.
organisation
Control Hub
Below are the descriptions of the flaws:
CVE-2026-20184
(CVSS 9.8):
An improper certificate validation issue in Webex SSO integration with Control Hub could allow an unauthenticated remote attacker to impersonate any user and gain unauthorized access to Webex services.
Tracked as
CVE-2026-20184
, the Webex vulnerability was found in the single sign-on (SSO) integration with Control Hub (a web-based portal that helps IT admins manage Webex settings) and allows remote attackers with no privileges to impersonate any user.
However, customers who are using SSO are
advised
to upload a new identity provider (IdP) SAML certificate to Control Hub.
organisation
Vulnerability / Network Security
Ravie Lakshmanan
Apr 16, 2026
Vulnerability / Network Security
Cisco has announced patches to address four critical security flaws impacting Identity Services and Webex Services that could result in arbitrary code execution and allow an attacker to impersonate any user within the service.
organisation
Identity Services and Webex Services
Ravie Lakshmanan
Apr 16, 2026
Vulnerability / Network Security
Cisco has announced patches to address four critical security flaws impacting Identity Services and Webex Services that could result in arbitrary code execution and allow an attacker to impersonate any user within the service.
organisation
Cisco Webex
An improper certificate validation in the integration of single sign-on (SSO) with Control Hub in Webex Services that could allow an unauthenticated, remote attacker to impersonate any user within the service and gain unauthorized access to legitimate Cisco Webex services.
"A successful exploit could have allowed the attacker to gain unauthorized access to legitimate Cisco Webex services.
organisation
Control Hub in Webex Services
An improper certificate validation in the integration of single sign-on (SSO) with Control Hub in Webex Services that could allow an unauthenticated, remote attacker to impersonate any user within the service and gain unauthorized access to legitimate Cisco Webex services.
organisation
IdP
However, customers who are using SSO are
advised
to upload a new identity provider (IdP) SAML certificate to Control Hub.
"
While the company has already addressed this security flaw in the Cisco Webex service, it warned customers who use SSO integration that they must
upload a new SAML certificate
for their identity provider (IdP) to Control Hub to avoid service interruption.
organisation
SSO
However, customers who are using SSO are
advised
to upload a new identity provider (IdP) SAML certificate to Control Hub.
organisation
CVE-2026-20147
CVE-2026-20147
(CVSS 9.9):
An input validation flaw in Identity Services Engine (ISE) and ISE-PIC could let an authenticated attacker with admin credentials execute remote code via crafted HTTP requests.
CVE-2026-20147
(CVSS score: 9.9) -
organisation
Identity Services Engine
CVE-2026-20147
(CVSS 9.9):
An input validation flaw in Identity Services Engine (ISE) and ISE-PIC could let an authenticated attacker with admin credentials execute remote code via crafted HTTP requests.
An insufficient validation of user-supplied input vulnerability in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that could allow an authenticated, remote attacker in possession of valid administrative credentials to achieve remote code execution by sending crafted HTTP requests.
organisation
ISE-PIC
CVE-2026-20147
(CVSS 9.9):
An input validation flaw in Identity Services Engine (ISE) and ISE-PIC could let an authenticated attacker with admin credentials execute remote code via crafted HTTP requests.
organisation
the Identity Services Engine
On Wednesday, the company also patched three critical security flaws (
CVE-2026-20147
,
CVE-2026-20180
, and
CVE-2026-20186
) in the Identity Services Engine (ISE) security policy management platform.
organisation
Cisco
"A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root," Cisco said in an advisory for CVE-2026-20147, CVE-2026-20180, and CVE-2026-20186.
infrastructure
3.1
The remaining vulnerabilities have been addressed in the following versions -
CVE-2026-20147
Cisco ISE or ISE-PIC Release earlier than 3.1 (Migrate to a fixed release)
Cisco ISE Release 3.1 (3.1 Patch 11)
organisation
Cisco ISE
The remaining vulnerabilities have been addressed in the following versions -
CVE-2026-20147
Cisco ISE or ISE-PIC Release earlier than 3.1 (Migrate to a fixed release)
organisation
ISE-PIC Release
The remaining vulnerabilities have been addressed in the following versions -
CVE-2026-20147
Cisco ISE or ISE-PIC Release earlier than 3.1 (Migrate to a fixed release)
organisation
Migrate
The remaining vulnerabilities have been addressed in the following versions -
CVE-2026-20147
Cisco ISE or ISE-PIC Release earlier than 3.1 (Migrate to a fixed release)
organisation
CVE-2026
CVE-2026-20180 / CVE-2026-20186 (CVSS 9.9)
:
Input validation issues in ISE could allow attackers with read-only admin access to execute arbitrary OS commands using crafted HTTP requests.
CVE-2026-20180 and CVE-2026-20186
(CVSS scores: 9.9) - Multiple insufficient validation of user-supplied input vulnerabilities in ISE could allow an authenticated, remote attacker in possession of read only admin credentials to execute arbitrary commands on the underlying operating system of an affected device by sending crafted HTTP requests.
organisation
Passive Identity Connector
An insufficient validation of user-supplied input vulnerability in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that could allow an authenticated, remote attacker in possession of valid administrative credentials to achieve remote code execution by sending crafted HTTP requests.
organisation
CVSS
CVE-2026-20180 and CVE-2026-20186
(CVSS scores: 9.9) - Multiple insufficient validation of user-supplied input vulnerabilities in ISE could allow an authenticated, remote attacker in possession of read only admin credentials to execute arbitrary commands on the underlying operating system of an affected device by sending crafted HTTP requests.
infrastructure
3.2
Cisco ISE Release 3.4 (3.4 Patch 6)
Cisco ISE Release 3.5 (3.5 Patch 3)
CVE-2026-20180 and CVE-2026-20186
Cisco ISE Release earlier than 3.2 (Migrate to a fixed release)
Cisco ISE Release 3.2 (3.2 Patch 10)
Cisco ISE Release 3.3 (3.3 Patch 11)
Cisco ISE Release 3.2 (3.2 Patch 8)
Cisco ISE Release 3.3 (3.3 Patch 8)
Cisco ISE Release 3.4 (3.4 Patch 4)
Cisco ISE Release 3.5 (Not Vulnerable)
While Cisco noted that it is not aware of any of these shortcomings being exploited in the wild, it's essential that users update their instances to the latest version for optimal protection.
infrastructure
3.4
Cisco ISE Release 3.4 (3.4 Patch 6)
Cisco ISE Release 3.5 (3.5 Patch 3)
CVE-2026-20180 and CVE-2026-20186
Cisco ISE Release earlier than 3.2 (Migrate to a fixed release)
Cisco ISE Release 3.2 (3.2 Patch 8)
Cisco ISE Release 3.3 (3.3 Patch 8)
Cisco ISE Release 3.4 (3.4 Patch 4)
Cisco ISE Release 3.5 (Not Vulnerable)
While Cisco noted that it is not aware of any of these shortcomings being exploited in the wild, it's essential that users update their instances to the latest version for optimal protection.
infrastructure
3.5
Cisco ISE Release 3.4 (3.4 Patch 6)
Cisco ISE Release 3.5 (3.5 Patch 3)
CVE-2026-20180 and CVE-2026-20186
Cisco ISE Release earlier than 3.2 (Migrate to a fixed release)
Cisco ISE Release 3.2 (3.2 Patch 8)
Cisco ISE Release 3.3 (3.3 Patch 8)
Cisco ISE Release 3.4 (3.4 Patch 4)
Cisco ISE Release 3.5 (Not Vulnerable)
While Cisco noted that it is not aware of any of these shortcomings being exploited in the wild, it's essential that users update their instances to the latest version for optimal protection.
organisation
Identity Services and Webex
Cisco fixed four critical flaws in Identity Services and Webex.
organisation
SecurityAffairs
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking, Cisco)
organisation
Webex Services
Cisco says critical Webex Services flaw requires customer action.
organisation
Product Security Incident Response Team
Cisco also added that its Product Security Incident Response Team (PSIRT) had no evidence that any of them had been exploited in attacks.
infrastructure
3.3
Cisco ISE Release 3.2 (3.2 Patch 10)
Cisco ISE Release 3.3 (3.3 Patch 11)
Cisco ISE Release 3.2 (3.2 Patch 8)
Cisco ISE Release 3.3 (3.3 Patch 8)
Cisco ISE Release 3.4 (3.4 Patch 4)
Cisco ISE Release 3.5 (Not Vulnerable)
While Cisco noted that it is not aware of any of these shortcomings being exploited in the wild, it's essential that users update their instances to the latest version for optimal protection.
organisation
Cisco ISE Release
Cisco ISE Release 3.1 (3.1 Patch 11)
organisation
DoS
"In single-node ISE deployments, successful exploitation of this vulnerability could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition.
May 12
Threat actors used a vulnerability in Cisco's Identity Services and Webex to target the Autonomous Validation Summit on May 12.
Click on any entity below to view its context and source!
organisation
the Autonomous Validation Summit
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.
general_metric
14 May
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.
Tactical Metrics
Metrics
infrastructure
3.1
Software Version
Click for context!
The remaining vulnerabilities have been addressed in the following versions -
CVE-2026-20147
Cisco ISE or ISE-PIC Release earlier than 3.1 (Migrate to a fixed release)
Cisco ISE Release 3.1 (3.1 Patch 11)
Metrics
infrastructure
3.2
Software Version
Cisco ISE Release 3.2 (3.2 Patch 10)
Cisco ISE Release 3.3 (3.3 Patch 11)
Cisco ISE Release 3.4 (3.4 Patch 6)
Cisco ISE Release 3.5 (3.5 Patch 3)
CVE-2026-20180 and CVE-2026-20186
Cisco ISE Release earlier than 3.2 (Migrate to a fixed release)
Cisco ISE Release 3.2 (3.2 Patch 8)
Cisco ISE Release 3.3 (3.3 Patch 8)
Cisco ISE Release 3.4 (3.4 Patch 4)
Cisco ISE Release 3.5 (Not Vulnerable)
While Cisco noted that it is not aware of any of these shortcomings being exploited in the wild, it's essential that users update their instances to the latest version for optimal protection.
Metrics
infrastructure
3.3
Software Version
Cisco ISE Release 3.2 (3.2 Patch 10)
Cisco ISE Release 3.3 (3.3 Patch 11)
Cisco ISE Release 3.2 (3.2 Patch 8)
Cisco ISE Release 3.3 (3.3 Patch 8)
Cisco ISE Release 3.4 (3.4 Patch 4)
Cisco ISE Release 3.5 (Not Vulnerable)
While Cisco noted that it is not aware of any of these shortcomings being exploited in the wild, it's essential that users update their instances to the latest version for optimal protection.
Metrics
infrastructure
3.4
Software Version
Cisco ISE Release 3.4 (3.4 Patch 6)
Cisco ISE Release 3.5 (3.5 Patch 3)
CVE-2026-20180 and CVE-2026-20186
Cisco ISE Release earlier than 3.2 (Migrate to a fixed release)
Cisco ISE Release 3.2 (3.2 Patch 8)
Cisco ISE Release 3.3 (3.3 Patch 8)
Cisco ISE Release 3.4 (3.4 Patch 4)
Cisco ISE Release 3.5 (Not Vulnerable)
While Cisco noted that it is not aware of any of these shortcomings being exploited in the wild, it's essential that users update their instances to the latest version for optimal protection.
Metrics
infrastructure
3.5
Software Version
Cisco ISE Release 3.4 (3.4 Patch 6)
Cisco ISE Release 3.5 (3.5 Patch 3)
CVE-2026-20180 and CVE-2026-20186
Cisco ISE Release earlier than 3.2 (Migrate to a fixed release)
Cisco ISE Release 3.2 (3.2 Patch 8)
Cisco ISE Release 3.3 (3.3 Patch 8)
Cisco ISE Release 3.4 (3.4 Patch 4)
Cisco ISE Release 3.5 (Not Vulnerable)
While Cisco noted that it is not aware of any of these shortcomings being exploited in the wild, it's essential that users update their instances to the latest version for optimal protection.
Intelligence Sources
Security Affairs
2026-04-16
Cisco fixed four critical flaws in Identity Services and Webex
Security Affairs
BleepingComputer
2026-04-16
Cisco says critical Webex Services flaw requires customer action
BleepingComputer
The Hacker News
2026-04-16
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T06:16
Comprehensive Tactical Telemetry
Highly Correlated Entities
26x
organisation
Identified Entity
Identity Services
entity
5x
vulnerability
Exploited CVE
CVE-2026-20184
cve
5x
timeline
Temporal Reference
2026/03/17
date
5x
infrastructure
Software Version
3.1
version
4x
tactic
Cyber Operation Type
Impersonation
tactic
4x
general metric
Patch
11
patch
4x
general metric
Ise Release
3
ise release
2x
vulnerability
CVSS Score
10
score
2x
attribution
Attributing Entity
the Cybersecurity and Infrastructure Security Agency
authority
Contextual Telemetry
Context Block
6 METRICS
general metric
May
14
may
general metric
Severity Flaws
10
severity flaws
general metric
Apr
16
apr
general metric
Score
10
score
general metric
Cvss Score
10
cvss score
general metric
Migrate
3
migrate
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.