Cisco Patches Four CVSS 9.9 Flaws in Identity Services Engine

Cisco released patches for four critical vulnerabilities in Identity Services Engine (ISE), its network access control platform. Three of the flaws score CVSS 9.9—nearly the maximum severity rating—and could allow authenticated attackers to execute arbitrary commands and escalate privileges to root.

The Critical Flaws

CVE-2026-20186 and CVE-2026-20180 affect ISE's input validation mechanisms. According to Cisco's security advisory, both vulnerabilities allow an authenticated attacker with read-only administrator credentials to execute arbitrary commands on the underlying operating system.

That's a significant escalation vector. Read-only admin accounts exist precisely because organizations want to limit what certain administrators can do. These flaws bypass that design entirely.

CVE	CVSS	Requirement	Impact
CVE-2026-20184	9.8	Unauthenticated	User impersonation via SSO
CVE-2026-20147	9.9	Admin credentials	RCE on underlying OS
CVE-2026-20180	9.9	Read-only admin	RCE on underlying OS
CVE-2026-20186	9.9	Read-only admin	RCE on underlying OS

Attack Path

A successful exploit follows this sequence:

1. Attacker obtains read-only administrator credentials (phishing, credential stuffing, prior breach)
2. Logs into ISE with limited permissions
3. Exploits input validation flaw to execute OS commands
4. Escalates from user-level access to root

Cisco confirmed that attackers can "obtain user-level access to the underlying operating system and then elevate privileges to root." In single-node ISE deployments, exploitation could crash the node entirely, blocking unauthenticated endpoints from network access until restored—similar to the Windows domain controller crashes that disrupted authentication infrastructure last week.

Webex Vulnerability Adds Risk

CVE-2026-20184 affects Cisco Webex Services and enables user impersonation through improper certificate validation in SSO integration. Unlike the ISE flaws, this one requires no authentication—attackers can impersonate any user within the service.

Organizations using Webex for collaboration should prioritize this patch. The impersonation capability could enable business email compromise scenarios or give attackers access to sensitive meeting recordings and shared documents.

What's Affected

The ISE vulnerabilities impact multiple versions:

CVE-2026-20147:

• ISE 3.1 (patch 11), 3.2 (patch 10), 3.3 (patch 11), 3.4 (patch 6), 3.5 (patch 3)

CVE-2026-20180 and CVE-2026-20186:

• ISE 3.2 (patch 8), 3.3 (patch 8), 3.4 (patch 4)
• ISE 3.5 is not vulnerable

CVE-2026-20184 affects cloud-based Webex Services and requires uploading a new IdP SAML certificate through Control Hub.

Why ISE Matters

Identity Services Engine sits at the center of enterprise network access control. It enforces who gets on the network, what they can access, and whether their devices meet compliance requirements. Compromising ISE means controlling network admission—attackers could whitelist their own devices, bypass security policies, or deny access to legitimate users.

Cisco network infrastructure continues drawing attacker attention. We covered FortiSandbox auth bypass flaws earlier this week, and network security appliances remain a consistent target for threat actors seeking persistent access. The FortiClient EMS vulnerability CISA flagged last month shows the pattern clearly.

Mitigation

1. Apply patches immediately for all affected ISE versions
2. Audit read-only admin accounts for suspicious activity
3. Review ISE authentication logs for anomalous logins
4. For Webex: Upload new IdP SAML certificates through Control Hub
5. Segment ISE management interfaces from general network access

Cisco stated they're not aware of active exploitation, but the CVSS 9.9 scores and detailed advisory give attackers a clear roadmap. Weaponization typically follows quickly after this level of disclosure.

Organizations running ISE should treat this as urgent. The combination of read-only credential requirements and root escalation makes these flaws attractive to threat actors who've already harvested credentials through other campaigns—like the Vercel OAuth compromise we reported yesterday.