Cisco Webex SSO Flaw Let Attackers Impersonate Any User

A critical vulnerability in Cisco Webex Services could have allowed unauthenticated attackers to impersonate any user within an organization. CVE-2026-20184, rated 9.8 on the CVSS scale, stemmed from improper certificate validation in the single sign-on (SSO) integration with Control Hub.

Cisco disclosed the vulnerability on April 15 as part of a broader security update addressing four critical flaws in Webex and Identity Services Engine. Because Webex Services is cloud-hosted, Cisco has already applied the fix—no customer action is required for the core vulnerability. However, organizations using SSO should upload new identity provider certificates as a precaution.

How the Attack Worked

The flaw existed in how Webex validated certificates during SSO authentication flows. When users authenticate to Webex through their organization's identity provider, the service should verify that authentication tokens are signed by a trusted certificate.

CVE-2026-20184 broke that verification. An attacker could connect to a specific service endpoint within the Webex SSO integration and supply a crafted token. Due to the improper certificate validation, Webex would accept the forged token and grant the attacker access as any user they specified.

The attack required no authentication and could be executed remotely. An attacker didn't need access to the target organization's network—they only needed to know a valid username within the target Webex deployment.

Impact and Enterprise Risk

User impersonation in a collaboration platform carries serious consequences. An attacker could:

• Access confidential meetings and recordings
• Read message history and shared files
• Send messages as the impersonated user
• Join meetings under a trusted identity for social engineering attacks

Organizations that recorded sensitive meetings—board discussions, M&A negotiations, HR matters—would face particular exposure. Similar impersonation techniques have been used in Microsoft 365 OAuth bypass attacks targeting enterprise users. Webex stores recordings in the cloud, potentially accessible to an attacker impersonating authorized users.

This vulnerability follows other recent Cisco authentication issues. We've covered Cisco ISE critical RCE vulnerabilities that attackers are actively exploiting, demonstrating continued focus on Cisco infrastructure as a target.

Three More Critical Webex and ISE Flaws

Cisco's April 15 advisory covered four critical vulnerabilities total:

CVE	Product	CVSS	Description
CVE-2026-20184	Webex Services	9.8	SSO user impersonation
CVE-2026-20147	Webex Services	9.9	Not detailed publicly
CVE-2026-20180	Webex Services	Critical	Not detailed publicly
CVE-2026-20186	Identity Services Engine	9.9	Remote code execution

The ISE vulnerability (CVE-2026-20186) is the most concerning for on-premises deployments since it requires manual patching and enables remote code execution. Singapore's Cyber Security Agency issued an alert urging organizations to patch ISE deployments immediately.

What Organizations Should Do

For CVE-2026-20184 specifically, Cisco states no customer action is required—the cloud service has been patched. However, organizations using SAML-based SSO with Webex should:

1. Upload a new IdP certificate - Cisco recommends refreshing your identity provider SAML certificate in Control Hub as a precautionary measure
2. Review access logs - Check Webex audit logs for suspicious authentication activity prior to the patch
3. Monitor for anomalies - Watch for unusual user behavior that might indicate prior compromise

For the broader set of Cisco vulnerabilities, organizations running on-premises ISE deployments should prioritize patching. The combination of CVSS 9.9 severity and authentication bypass makes CVE-2026-20186 particularly dangerous.

Why This Matters

Collaboration platforms became critical infrastructure during the pandemic shift to remote work, and they remain central to hybrid work models. Webex, Teams, Zoom, and similar platforms handle sensitive communications daily. Authentication bypass in these systems doesn't just expose individual accounts—it can compromise entire organizations' confidential discussions.

Cisco says it's not aware of active exploitation for these vulnerabilities. But a CVSS 9.8 authentication bypass in a widely-deployed cloud service rarely stays unexploited for long. Organizations should verify their Webex SSO configuration and complete any recommended certificate updates promptly.