Critical 9.8 Webex Flaw Lets Attackers Impersonate Any User

In the modern enterprise, the Single Sign-On (SSO) portal is the master key to a company’s digital life. However, a recently disclosed critical vulnerability in Cisco Webex Services has revealed how a flaw in that key could allow an outsider to walk through the front door as anyone they choose.

The vulnerability, tracked as CVE-2026-20184, carries a critical severity rating of CVSS 9.8. It strikes at the heart of the integration between cloud-based Webex Services and the Cisco Control Hub.

The technical root of the crisis is a breakdown in improper certificate validation. In a secure SSO environment, certificates are the digital “IDs” that verify trust between a service and its identity provider.

In this case, the validation logic was flawed enough that an unauthenticated, remote attacker could connect to a service endpoint and supply a crafted token. Because the system failed to properly verify the authenticity of the certificate associated with that token, it would essentially accept the attacker’s claim at face value.

A successful exploit “could have allowed an unauthenticated, remote attacker to impersonate any user within the service”.

In a business context, this means an attacker could potentially:

• Access Sensitive Meetings: Join executive-level briefings or confidential project updates as a recognized employee.
• Data Exfiltration: Gain unauthorized access to legitimate Webex services to view stored documents, recordings, or chat logs.
• Lateral Movement: Leverage the trusted identity to perform further social engineering or administrative tasks within the platform.

While Cisco has already addressed the vulnerability on the backend of its cloud-based services, the fix requires manual intervention from customers to ensure continued security and service stability.

To avoid service interruption, organizations using SSO integration must:

1. Log into Control Hub: Navigate to the identity provider settings.
2. Upload a New Certificate: Customers are required to upload a new identity provider (IDP) SAML certificate.
3. Verify Integration: Consult the “Manage single sign-on integration in Control Hub” documentation for detailed configuration guidance.

Fortunately for the thousands of organizations relying on Webex, the Cisco Product Security Incident Response Team (PSIRT) currently reports that they are “not aware of any public announcements or malicious use of the vulnerability”.