Critical Cisco Webex SSO Flaw Allowed Remote User Impersonation
Cisco disclosed a critical certificate validation vulnerability in cloud-based Webex Services that could let an unauthenticated remote attacker bypass authentication and impersonate legitimate users in environments using single sign-on through Webex Control Hub. The flaw, tracked as CVE-2026-20184 and rated CVSS 9.8, stems from improper certificate validation in the SSO implementation (CWE-295), which could cause malicious authentication tokens to be accepted as valid.
Cisco said it patched the backend cloud service, but affected organizations must also manually upload a new SAML certificate for their Identity Provider in Webex Control Hub to fully remediate the issue. The company said there are no workarounds, warned that customers who do not update their SAML certificates may remain exposed and could face service disruption, and added that the vulnerability was found during internal security testing with no known public exploitation reported at disclosure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Cisco patches three critical ISE remote code execution flaws
Cisco released patches for three critical Identity Services Engine vulnerabilities, tracked as CVE-2026-20180, CVE-2026-20186, and CVE-2026-20147. The flaws could allow authenticated attackers with administrative privileges to execute remote code on the underlying operating system of affected ISE devices.
Cisco instructs customers to replace SAML IdP certificates
Cisco said customers using affected SSO integrations must manually upload a new SAML certificate for their Identity Provider in Webex Control Hub to fully remediate the issue. It warned there are no workarounds and that organizations that do not update certificates may remain vulnerable or face service disruption.
Cisco publishes advisory and patches Webex backend service
Cisco disclosed CVE-2026-20184 in a security advisory and said it had patched the affected cloud backend service. The company stated there was no evidence of public exploitation at the time of disclosure.
Cisco identifies Webex certificate validation flaw during internal testing
Cisco discovered a certificate validation vulnerability in Webex Services during internal security testing. The flaw, later tracked as CVE-2026-20184, affects SSO integrations in Webex Control Hub and could allow unauthenticated attackers to impersonate legitimate users.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Warning: Critical improper certificate‑validation in CISCO Webex that can lead to user impersonation, Patch Immediately! | CCB Belgium
ccb.belgium.be
Open sourceCisco patches critical bugs in Webex, ISE | news | SC Media
scworld.com
Open sourceCisco Webex Services Vulnerability Let Remote Attacker Impersonate Any User
cybersecuritynews.com
Open sourceCisco Webex Services Certificate Validation Vulnerability
sec.cloudapps.cisco.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Cisco Secure Workload API Flaw Grants Unauthenticated Site Admin Access
Cisco disclosed **CVE-2026-20223**, a critical `CVSS 10.0` vulnerability in Cisco Secure Workload Cluster Software that allows an unauthenticated remote attacker to gain **Site Admin** privileges by sending crafted requests to internal REST API endpoints. The flaw stems from insufficient authentication and access validation (`CWE-306`) and affects both **SaaS** and **on-premises** deployments, enabling access to site resources, exposure of sensitive information, and configuration changes that can cross tenant boundaries. Cisco said its hosted SaaS environments have already been remediated, while customers running affected versions must upgrade because **no workaround is available**. Fixed releases include **3.10.8.3** and **4.0.3.17**, with the issue affecting version **3.9 and earlier**, versions before **3.10.8.3**, and versions before **4.0.3.17**. Cisco and the Canadian Centre for Cyber Security urged administrators to review the advisory and apply updates promptly; Cisco said it is not aware of active exploitation and reported that the vulnerability was identified during internal security testing.
Jun 29, 2026
Cisco SD-WAN Authentication Bypass Exploited for Admin Access and Persistence
Cisco disclosed and patched **CVE-2026-20182**, a critical `CVSS 10.0` authentication bypass flaw in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager** that has been exploited in the wild. The bug affects the `vdaemon` control-plane service over **DTLS/UDP 12346** and allows an unauthenticated attacker to impersonate a trusted peer, gain high-privilege administrative access, reach **NETCONF** on `TCP/830`, and manipulate SD-WAN fabric configuration. Rapid7 said the flaw stems from missing authentication checks when a peer claims to be a vHub device, enabling attackers to inject SSH keys for the `vmanage-admin` account and establish persistent access; Cisco said there are **no workarounds** and released fixed software versions for affected on-premises, cloud, managed-cloud, and FedRAMP deployments. Cisco Talos attributed the most sophisticated exploitation of `CVE-2026-20182` with high confidence to **UAT-8616**, which was observed adding SSH keys, modifying NETCONF settings, and escalating privileges to root, with infrastructure overlap noted with Operational Relay Box networks. Talos also reported broader ongoing attacks against SD-WAN environments, including widespread exploitation of previously disclosed **CVE-2026-20133**, **CVE-2026-20128**, and **CVE-2026-20122** after public proof-of-concept release, leading to deployment of JSP webshells such as **XenShell**, **Godzilla**, and **Behinder**, along with tools including Sliver, AdaptixC2, XMRig, gsocket, and credential-stealing scripts. **CISA added CVE-2026-20182 to the KEV catalog** and ordered federal agencies to remediate quickly, while Cisco and national cyber agencies urged organizations to preserve forensic evidence, review logs for unauthorized peering and `vmanage-admin` public-key logins, and patch all vulnerable control components immediately.
Jun 29, 2026
Active Exploitation of Cisco Unified Communications RCE (CVE-2026-20045)
Cisco released fixes for a **critical remote code execution** vulnerability in Unified Communications and *Webex Calling Dedicated Instance*, tracked as **CVE-2026-20045**, after it was **actively exploited as a zero-day**. The issue stems from **improper validation of user-supplied input in HTTP requests** to the web-based management interface; successful exploitation can provide **user-level OS access** and enable **privilege escalation to root**. Affected products include **Cisco Unified Communications Manager (Unified CM)**, **Unified CM Session Management Edition (SME)**, **Unified CM IM & Presence**, **Cisco Unity Connection**, and **Webex Calling Dedicated Instance**; Cisco provided version-specific remediations including fixed releases and `.cop` patch files (e.g., `ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512`). CISA added **CVE-2026-20045** to its **Known Exploited Vulnerabilities (KEV) Catalog**, citing evidence of active exploitation and highlighting code injection flaws as a common attack vector with significant risk to the federal enterprise. Under **Binding Operational Directive (BOD) 22-01**, Federal Civilian Executive Branch agencies are required to remediate KEV-listed vulnerabilities by the specified due date, and CISA urged all organizations to similarly prioritize patching to reduce exposure to ongoing attacks.
Jun 29, 2026