Cisco Patches Critical ISE Vulnerabilities Allowing Remote Code Execution Attacks

Cisco’s Identity Services Engine (ISE) sits at the heart of most enterprise network access control architectures, authenticating devices and enforcing policy across wired, wireless and VPN connections. This week the vendor disclosed three critical flaws—CVE‑2026‑20147, CVE‑2026‑20180 and CVE‑2026‑20186—each rated 9.9 on the CVSS scale. The bugs stem from insufficient validation of HTTP input, allowing an attacker with administrative or even read‑only credentials to inject arbitrary commands and ultimately gain root privileges. In single‑node deployments the flaw can also trigger a denial‑of‑service that blocks new endpoint authentication.

The urgency is amplified by a parallel vulnerability in Cisco Webex Services (CVE‑2026‑20184), scored 9.8, which bypasses certificate validation in the Control Hub single sign‑on flow. An unauthenticated remote actor can impersonate any user, compromising meetings, file sharing and collaboration data. Cisco has released patches for all affected ISE releases up to version 3.5 and for Webex SSO configurations, but it stresses that no work‑arounds exist. Organizations must apply the updates immediately, verify hardware compatibility, and re‑harden administrative access to limit exposure.

These disclosures underscore a growing trend: critical authentication platforms are prime targets because a single breach can cascade across an entire corporate network. Security teams should treat ISE and Webex patches as high‑priority items in their vulnerability‑management calendars, integrating automated scanning for the listed CVE identifiers. Continuous monitoring for anomalous authentication attempts, coupled with strict least‑privilege policies, can mitigate the window of opportunity before patches are deployed. In an environment where remote work and cloud‑based collaboration are entrenched, rapid remediation remains the most effective defense against ransomware and espionage campaigns.