Cisco has released critical security patches addressing four severe vulnerabilities affecting two of its most widely deployed enterprise products: Cisco Identity Services Engine (ISE) and Cisco Webex. The flaws, if exploited, could allow remote attackers to execute arbitrary code, bypass authentication, or impersonate any user within the affected services — posing an extremely high risk to enterprises that rely on these platforms for network access control and unified communications.
Cisco Identity Services Engine: Critical RCE Vulnerabilities
Cisco Identity Services Engine (ISE) is the company’s flagship network access control (NAC) and policy enforcement platform, used by thousands of enterprises worldwide to authenticate devices and users on corporate networks and enforce zero trust segmentation policies. Two of the four vulnerabilities affect ISE directly.
The most severe of these flaws allows a remote, unauthenticated attacker to execute arbitrary code with root privileges on the underlying operating system by sending specially crafted requests to a vulnerable API endpoint. Cisco’s advisory describes the root cause as improper input validation within ISE’s web management interface — a class of vulnerability that is particularly dangerous in NAC platforms, where compromise grants the attacker insight into and potential control over network access policies.
A second ISE vulnerability enables privilege escalation for authenticated low-privilege users, potentially allowing internal threat actors or compromised service accounts to elevate access to administrative levels. Combined with the unauthenticated RCE flaw, the two vulnerabilities could be chained together by an attacker who first establishes a foothold via the RCE, then leverages the escalation path to entrench persistence.
Cisco Webex: Authentication Bypass and User Impersonation
The two remaining vulnerabilities affect Cisco Webex, the company’s cloud-based video conferencing and collaboration platform. One flaw involves a broken authentication mechanism that allows a remote attacker to impersonate any legitimate user within a Webex organisation without possessing that user’s credentials. The vulnerability stems from insufficient verification of authentication tokens in certain Webex API flows.
The second Webex vulnerability enables arbitrary code execution within the Webex client application under specific conditions involving the processing of maliciously crafted meeting invitations or shared content. While this requires some degree of user interaction — such as joining a manipulated meeting — the widespread use of Webex in enterprise environments and the trusted nature of meeting invitations make this a viable attack vector for spear-phishing campaigns.
Scope and Impact
The potential impact of these vulnerabilities is substantial, particularly for organisations that use Cisco ISE as the backbone of their network access control architecture:
- An ISE compromise could allow attackers to grant themselves unrestricted network access, bypassing segmentation controls designed to contain breaches
- Attackers could modify ISE policies to whitelist malicious devices or revoke access for legitimate endpoints, causing widespread service disruption
- Webex user impersonation could enable business email compromise (BEC)-style attacks conducted through trusted video conferencing channels
- The Webex RCE flaw could be used to deploy malware on endpoints of high-value targets attending compromised meetings
Cisco has not disclosed active exploitation of these vulnerabilities in the wild at the time of the patch release, but given the high profile of both products and the severity of the flaws, security researchers expect threat actors to develop functional exploits rapidly now that the patches are public and can be reverse-engineered to identify the vulnerable code paths.
Affected Versions and Patches
Cisco’s security advisories specify the following patch guidance:
- Cisco ISE: Versions 3.1 through 3.4 are affected. Customers should upgrade to the fixed releases detailed in Cisco’s advisory immediately. No workarounds are available for the unauthenticated RCE vulnerability.
- Cisco Webex: The cloud-hosted Webex services have been patched automatically by Cisco. Customers using on-premises Webex deployments or Webex client applications should apply the latest client updates and ensure their Webex infrastructure is running patched versions.
Recommended Actions
Security and network operations teams should take the following steps immediately:
- Apply Cisco’s patches to all affected ISE and Webex deployments without delay
- Review ISE access logs for anomalous authentication attempts or unexpected policy changes that could indicate prior compromise
- Restrict management access to Cisco ISE to trusted administrator IP ranges only
- Enable multi-factor authentication for all Webex accounts to limit the impact of the user impersonation vulnerability
- Treat any unexpected Webex meeting invitations or file shares with heightened suspicion until the client patches are applied
These vulnerabilities serve as a reminder that network access control and unified communications platforms are prime targets for sophisticated threat actors. Because these systems sit at critical junctures in enterprise infrastructure — controlling who can connect to the network and how employees communicate — their compromise can have cascading effects far beyond the platform itself.