Search

Critical Improper Certificate Validation in Cisco Webex Allows User Impersonation (CVSS 9.8)

The Centre for Cybersecurity Belgium issued a critical security warning for CVE-2026-20184, an improper certificate-validation vulnerability (CWE-295) affecting Cisco Webex versions 39.6 through 45.4. The vulnerability carries a CVSS 9.8 score and enables remote, unauthenticated attackers to impersonate any user within the Cisco Webex service by supplying a crafted token during SSO with Control Hub, potentially compromising confidentiality, integrity, and availability. CCB strongly recommends installing vendor updates with highest priority and upscaling monitoring and detection capabilities to identify suspicious activity.

Vulnerability Summary for the Week of April 13, 2026

CISA published Vulnerability Bulletin SB26-110 summarising new vulnerabilities recorded during the week of April 13, 2026. The bulletin lists seven high-severity CVEs affecting Grafana Pyroscope (CVSS 9.1), Grocery Store Management System (CVSS 9.8), School-management-system (CVSS 9.8), Owen WebStack for WordPress (CVSS 9.8), Cisco ISE (two CVEs, CVSS 9.9 each), and Cisco Webex Meetings (CVSS 9.8). Patch information is provided where available via vendor security advisories.

Critical Vulnerabilities in Cisco ISE and Webex Services

The Cyber Security Agency of Singapore issued an alert advising users and administrators to immediately update Cisco Identity Services Engine (ISE) and Webex Services to address multiple critical security vulnerabilities. Affected CVEs include CVE-2026-20147, CVE-2026-20180, CVE-2026-20186 (CVSSv3.1: 9.9) in Cisco ISE, and CVE-2026-20184 (CVSSv3.1: 9.8) in Webex Services. The vulnerabilities could allow authenticated remote attackers to gain root access and execute arbitrary commands, or unauthenticated attackers to impersonate users and access legitimate Webex services.

Cisco WebEx Multiple Critical Vulnerabilities CVSS 9.8

CERT-Bund issued a critical security advisory for Cisco WebEx vulnerabilities (WID-SEC-2026-1132) with CVSS Base Score 9.8 affecting WebEx Contact Center and WebEx Services. Multiple cross-site scripting vulnerabilities and security bypass flaws affect Windows, Linux, UNIX, and other operating systems. Remote attackers can exploit these flaws to perform XSS attacks and circumvent security measures.