Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: ise (2 articles)Clear

Critical Cisco ISE flaws give attackers root and leak credentials

Cisco has patched serious flaws in Identity Services Engine (ISE), the platform many organizations use to control who and what connects to their network. The most severe is a critical remote-code-execution bug that can give an attacker root-level control of the appliance. A second flaw, CVE-2026-20190, is an unauthenticated information-disclosure issue caused by weak authorization checks, letting a remote attacker pull sensitive data, including hashed credentials, that could fuel follow-on attacks and lateral movement. All versions of ISE and ISE-PIC are affected, though which flaws apply varies by release. Cisco has not reported active exploitation, but ISE sits at the heart of network access control.

Check
Identify Cisco ISE and ISE-PIC deployments and their patch levels, restrict access to the management interface to trusted administrators, and review logs for unexpected requests or signs of credential access.
Affected
All versions of Cisco Identity Services Engine (ISE) and ISE-PIC, with applicable flaws varying by release; the unauthenticated information-disclosure bug is tracked as CVE-2026-20190, alongside a critical root-level code-execution flaw.
Fix
Upgrade to ISE 3.3 Patch 11 or 3.4 Patch 6 now; the 3.5 Patch 4 fix is expected in August. Limit management access to trusted networks until then.

Cisco Webex SSO flaw lets unauthenticated attackers impersonate any user (CVE-2026-20184) - four critical bugs patched this week

Cisco has patched four critical vulnerabilities this week across Webex and Identity Services Engine (ISE). The standout flaw is CVE-2026-20184 in Cisco Webex Services with SSO integration via Control Hub - it allows an unauthenticated remote attacker to impersonate any user in the service due to incorrect certificate validation in the SSO flow. This is particularly dangerous for organizations using Webex with SAML and centralized identity management. Alongside it: CVE-2026-20180 and CVE-2026-20186 (both CVSS 9.9) affect Cisco ISE and ISE Passive Identity Connector, allowing authenticated attackers with even read-only admin credentials to execute arbitrary commands on the underlying OS and escalate to root. CVE-2026-20147 is a path traversal flaw in the same products. ISE versions before 3.2, plus 3.2, 3.3, 3.4, and 3.5 branches are all affected. No workarounds - only software updates fix these. In single-node ISE deployments, exploitation can also knock the node offline, blocking network access for unauthenticated endpoints.

Check
If you use Cisco Webex with SSO via Control Hub, treat CVE-2026-20184 as urgent - it's unauthenticated. If you run Cisco ISE for network access control, plan to patch this week.
Affected
Cisco Webex Services configured with SSO integration via Control Hub (CVE-2026-20184, unauthenticated impersonation). Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) versions prior to 3.2, plus 3.2, 3.3, 3.4, and 3.5 branches (CVE-2026-20180, CVE-2026-20186, CVE-2026-20147).
Fix
Apply Cisco's software updates from the April 15 advisories. For ISE, upgrade to the fixed release matching your branch - there are no workarounds. For Webex with SSO, the fix is included in Cisco's latest Control Hub release. If patching is delayed, restrict admin access to ISE management interfaces to trusted IPs only via network-level ACLs - this doesn't fix CVE-2026-20184 but reduces the risk from ISE credential theft to RCE chains. Review Cisco admin account hygiene: read-only credentials are enough to chain to root on unpatched ISE.