Cisco patches critical Webex SSO flaw, forces customers to rotate SAML certificates

Cisco pushed fixes for four critical vulnerabilities this week, headlined by CVE-2026-20184 in Webex Services. The bug sat in the SSO integration with Control Hub and let an unauthenticated remote attacker impersonate any user by hitting a service endpoint with a crafted token. Cisco has already closed the hole server-side, but customers using SSO must upload a fresh SAML certificate for their identity provider to Control Hub or face service interruption - a cloud-side patch alone is not enough.

The other three critical fixes (CVE-2026-20147, CVE-2026-20180, CVE-2026-20186) hit Identity Services Engine, where arbitrary OS command execution is possible but gated behind admin credentials. Ten medium-severity issues covering auth bypass, privilege escalation, and DoS round out the batch. PSIRT reports no in-the-wild exploitation of any of them.

The advisory lands a month after CISA ordered federal agencies to patch CVE-2026-20131 in Cisco Secure Firewall Management Center, a max-severity zero-day weaponized by Interlock ransomware operators since January. The pattern - identity and management-plane bugs in Cisco’s admin surfaces - continues to define the vendor’s 2026 vulnerability profile.