Cisco says critical Webex Services flaw requires customer action
Source: Bleeping Computer
Cisco has released security updates to patch four critical vulnerabilities, including an improper certificate validation flaw in the cloud‑based Webex Services platform that requires further customer action.
Vulnerability in Webex Services
The flaw, tracked as CVE‑2026‑20184, resides in the single sign‑on (SSO) integration with Control Hub (a web‑based portal for managing Webex settings). It allows remote attackers with no privileges to impersonate any user.
Cisco explained in a Wednesday advisory that prior to the fix, an attacker could exploit the vulnerability by connecting to a service endpoint and supplying a crafted token. A successful exploit could have granted unauthorized access to legitimate Cisco Webex services.
“A successful exploit could have allowed the attacker to gain unauthorized access to legitimate Cisco Webex services.” – Cisco Security Advisory
Required Customer Action
Customers using SSO integration must upload a new SAML certificate for their identity provider (IdP) to Control Hub to avoid service interruption:
- How to upload the certificate: Manage single sign‑on integration in Control Hub
Additional Critical Flaws Patched
On the same day, Cisco also patched three critical vulnerabilities in the Identity Services Engine (ISE) platform:
These flaws could allow attackers to execute arbitrary commands on the underlying operating system, regardless of device configuration. Successful exploitation, however, requires administrative credentials on the targeted systems.
The full list of security issues addressed this week, including 10 medium‑severity flaws, is available in Cisco’s publication listing: Security Issues Addressed This Week.
Cisco’s Product Security Incident Response Team (PSIRT) reported no evidence that any of these vulnerabilities have been exploited in the wild.
Related Recent Activity
Last month, the Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch a maximum‑severity vulnerability (CVE‑2026‑20131) in Cisco’s Secure Firewall Management Center (FMC). That flaw had been exploited as a zero‑day in Interlock ransomware attacks since late January 2026:
- CISA directive: Patch maximum‑severity Cisco flaw
- Interlock ransomware exploitation: Details on the zero‑day attack