If your business runs Cisco Webex for video meetings and collaboration, or uses Cisco Identity Services Engine (ISE) to control who gets onto your corporate network, drop what you are doing. On April 16, 2026, Cisco published patches for four critical security vulnerabilities — two affecting Webex Services and two affecting ISE — with Common Vulnerability Scoring System (CVSS) ratings of 9.8 and 9.9 out of 10. That is about as severe as enterprise software vulnerabilities get. One of those flaws requires immediate action from customers even after Cisco has deployed its server-side fix.
This is not a "patch it sometime this quarter" situation. The vulnerabilities allow unauthenticated attackers to impersonate any user in your Webex environment, and authenticated attackers — including those with nothing more than read-only admin credentials — to execute arbitrary commands on the operating system of your Cisco ISE appliances. Here is what each flaw means in practice, and what your IT team needs to do today.
The Four Vulnerabilities: A Plain-English Breakdown
CVE-2026-20184 — Webex SSO User Impersonation (CVSS 9.8)
This is the flaw that demands the most immediate customer action. The vulnerability lies in how Webex Services validates the SAML certificate used for Single Sign-On (SSO) integration with Cisco Control Hub. Due to improper certificate validation, an unauthenticated remote attacker can exploit this flaw to impersonate any user within your Webex environment — including executives, IT administrators, and finance teams.
What that means in practice: an attacker could silently join internal Webex meetings as a trusted employee, access shared files and collaboration spaces, read private messages, and potentially use that access as a launchpad for deeper social engineering. Because the attacker appears to the platform as a legitimate, authenticated user, standard activity monitoring may not flag the intrusion.
Cisco has already patched the server-side component of this flaw. But here is the critical part: if your organisation uses SSO integration, you must also upload a new SAML certificate for your Identity Provider (IdP) directly to Webex Control Hub. This is a customer-side action that Cisco cannot perform for you. Organizations that skip this step remain exposed to service disruption even after the server-side patch is live.
CVE-2026-20147 — ISE Remote Code Execution (CVSS 9.9)
Cisco's Identity Services Engine is the network access control gatekeeper for countless enterprise environments — it decides which devices and users are allowed onto the corporate network, enforces policy, and integrates with directory services like Active Directory. A vulnerability here is not a perimeter problem. It is a core infrastructure problem.
CVE-2026-20147 is an insufficient validation of user-supplied input in ISE and ISE Passive Identity Connector (ISE-PIC). An authenticated remote attacker who has obtained valid administrative credentials can achieve remote code execution by sending crafted HTTP requests. The CVSS score of 9.9 reflects how catastrophic full compromise of an ISE appliance would be: an attacker with code execution on ISE effectively controls your network's front door.
CVE-2026-20180 and CVE-2026-20186 — ISE Arbitrary Command Execution (CVSS 9.9 each)
These two flaws are in some ways more alarming than CVE-2026-20147, because the barrier to exploitation is lower. Both vulnerabilities allow an authenticated attacker in possession of nothing more than read-only admin credentials to execute arbitrary commands on the underlying operating system of the affected ISE device.
Read-only administrative accounts are frequently handed out broadly — to auditors, compliance teams, third-party vendors, or IT staff who need visibility but theoretically no write access. These CVEs mean that any one of those accounts, if compromised, is effectively a root shell on your network access control infrastructure. Cisco has confirmed that patches are available and that there is currently no evidence of exploitation in the wild — but given the severity and the number of organisations running ISE, that window is unlikely to remain open for long.
Why These Flaws Matter Beyond the Immediate Patch
Attackers are increasingly targeting the tools businesses trust most — the collaboration platforms where sensitive conversations happen and the identity infrastructure that decides who is trusted on the network in the first place.
These four vulnerabilities do not exist in isolation. They fit into a broader and accelerating pattern of attacks against business network infrastructure. Barracuda's SOC Threat Radar for Q1 2026, released this week, found that brute-force authentication attempts targeting SonicWall and FortiGate network edge devices accounted for more than 56% of all confirmed security incidents in the first quarter of the year — a sharp surge compared to the same period in 2025. Over 88% of that brute-force traffic originated from IP addresses in the Middle East.
The strategic logic for attackers is straightforward. Network edge devices, identity platforms, and collaboration tools are high-value, high-trust targets. A successful compromise of any of them does not just give an attacker access to data — it gives them the ability to impersonate trusted identities, pivot laterally, and persist undetected inside corporate environments for weeks or months. The Cisco vulnerabilities disclosed today fall squarely in that category.
Webex is used by tens of millions of business users worldwide for meetings, file sharing, and internal communication. A flaw that allows silent user impersonation in that environment is not a theoretical risk — it is a ready-made tool for corporate espionage, business email compromise, and insider-threat-style fraud. ISE deployments sit at the heart of zero-trust architectures at enterprises globally. Compromising ISE does not just breach one system. It potentially compromises every system that ISE vouches for.
What Your Business Needs to Do Today
The remediation steps differ depending on which Cisco products your organisation uses. Here is a clear action checklist:
- Webex SSO users — act immediately: Log into Cisco Control Hub and upload a new SAML certificate for your Identity Provider. This is a mandatory customer-side action. Cisco's server-side fix is already deployed, but SSO-integrated environments will remain at risk of service interruption without this step. If you are unsure whether your Webex deployment uses SSO, check with your IT team now.
- Webex non-SSO users: The server-side fix is already in place. No customer action is required for the authentication vulnerability, but monitor Cisco's security advisories for any follow-on guidance.
- ISE deployments: Apply Cisco's patches to your ISE and ISE-PIC appliances immediately. Check Cisco's official security advisory for the specific fixed versions applicable to your deployment. Do not wait for your standard patching window — the severity justifies emergency change procedures.
- Audit ISE administrative accounts: Review who holds ISE admin credentials, including read-only accounts. Revoke access for any accounts that are no longer needed, and rotate credentials for all remaining accounts as part of your post-patch remediation.
- Check for signs of prior compromise: Before celebrating the patch, look backward. Review ISE and Webex authentication logs for anomalous activity over the past 30 to 60 days. Unusual login times, unfamiliar source IPs, and unexpected privilege escalations may indicate that an attacker beat you to the vulnerability.
- Enforce multi-factor authentication everywhere: MFA does not eliminate these vulnerabilities, but it raises the cost of credential-based exploitation significantly. If MFA is not enforced on your ISE admin accounts and Webex SSO configuration, enabling it now reduces your exposure while patches are applied.
- Communicate with your MSP or IT partner: If you outsource IT management or network administration, forward this advisory to your provider today and confirm that they have a remediation timeline. Do not assume it is being handled.
The Bigger Picture for Business Leaders
IT security teams are already stretched thin. Patch fatigue is real — the drumbeat of critical CVEs can make it tempting to triage by urgency and deprioritize anything that does not yet have a confirmed exploit in the wild. That logic breaks down when the vulnerability in question carries a CVSS score of 9.9 and sits inside a product that controls network access for your entire organisation.
The Cisco patches released today are a reminder that the attack surface for modern businesses extends far beyond the traditional perimeter. It includes the collaboration platforms where your teams share sensitive information, the identity systems that decide who is trusted on your network, and the firewalls and VPNs sitting at the edge. All three categories are under active, sustained pressure in 2026 — not from opportunistic attackers, but from well-resourced threat actors running systematic campaigns to find and exploit exactly this kind of high-trust, high-value infrastructure.
The good news is that Cisco moved quickly to patch these vulnerabilities, and there is currently no evidence of active exploitation. That gives organisations a window to act before attackers weaponise these flaws at scale. That window is measured in days, not weeks. Use it.