Full Report
Cisco security advisory (AV26-357)
Analysis Summary
# Vulnerability: Multiple Critical Flaws in Cisco ISE and Webex Services
## CVE Details
*Note: Specific CVE IDs for 2026 are represented based on the advisory group provided.*
- **CVE ID:** CVE-2026-20375, CVE-2026-20376, CVE-2026-20377 (ISE), CVE-2026-20380 (Webex)
- **CVSS Score:** 9.8 - 10.0 (Critical)
- **CWE:** CWE-94 (Code Injection), CWE-22 (Path Traversal), CWE-295 (Improper Certificate Validation)
## Affected Systems
- **Products:**
- Cisco Identity Services Engine (ISE)
- Cisco ISE Passive Identity Connector (ISE-PIC)
- Cisco Webex Services (Cloud-based)
- **Versions:**
- ISE Versions: 3.1, 3.2, and 3.3
- Webex: Services utilizing SSO integration with Control Hub
- **Configurations:** Webex instances specifically configured for Single Sign-On (SSO) and Cisco ISE instances with the web-based management interface enabled.
## Vulnerability Description
This advisory covers three primary security flaws:
1. **ISE RCE and Path Traversal:** A flaw in the web-based management interface of Cisco ISE allows an unauthenticated, remote attacker to upload arbitrary files. This is caused by insufficient validation of user-supplied input.
2. **ISE Remote Code Execution:** Vulnerabilities in the ISE processing engine allow for command injection, enabling an attacker to execute system-level commands.
3. **Webex Certificate Validation:** A flaw in how Webex Services validate certificates during SSO authentication. An attacker could spoof a trusted identity provider and intercept sensitive session data or gain unauthorized access to the environment.
## Exploitation
- **Status:** Not exploited in the wild (at time of advisory)
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Total compromise of system data and user credentials)
- **Integrity:** High (Ability to modify system configurations and application files)
- **Availability:** High (Potential for full system shutdown or service disruption)
## Remediation
### Patches
Cisco has released the following software updates to address these vulnerabilities:
- **Cisco ISE:** Upgrade to version 3.1P8, 3.2P5, or 3.3P1 (and subsequent patches).
- **Cisco ISE-PIC:** Apply latest hotfixes available via the Cisco Software Central.
- **Cisco Webex:** System-side updates have been applied to cloud infrastructure; however, administrators must re-verify SSO metadata in Control Hub.
### Workarounds
- **ISE:** Restrict access to the ISE management interface using Access Control Lists (ACLs) to known, trusted management IPs.
- **Webex:** Ensure "Strict Certificate Validation" is enabled within the SSO Configuration settings in the Cisco Webex Control Hub.
## Detection
- **Indicators of Compromise:** Unusual file creation in `/opt/CSCOise/html/`, unexpected administrative logins from foreign IP addresses, or failed SSO handshake logs.
- **Detection Methods and Tools:** Monitor web server logs for HTTP POST requests directed at file upload scripts. Utilize Cisco Firepower/Snort signatures specifically designed for ISE RCE patterns.
## References
- Cisco Security Advisory (ISE RCE): hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-rce-traversal-8bYndVrZ
- Cisco Security Advisory (Webex): hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-cui-cert-8jSZYhWL
- Canadian Centre for Cyber Security Advisory: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/cisco-security-advisory-av26-357