π―Cisco found serious security holes in some of its products that hackers could use to break in and take control. Theyβve released updates to fix these problems, and it's super important for users to install them right away to keep their systems safe.
The Flaw
On February 25, 2026, Cisco published security advisories to address critical vulnerabilities in several products, including the Cisco Catalyst SD-WAN Controller, Catalyst SD-WAN Manager, Nexus 3600 and 9500-R Switching Platform, Nexus 9000 Series Fabric Switches, and UCS Software. Notably, CVE-2026-20127 has been confirmed as exploited in the wild. Recent updates have added CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133 to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Database.
In addition to these vulnerabilities, Cisco has announced patches for four critical security flaws affecting Identity Services and Webex Services. These include:
- CVE-2026-20184 (CVSS score: 9.8): An improper certificate validation in the integration of single sign-on (SSO) with Control Hub in Webex Services, allowing an unauthenticated attacker to impersonate any user.
- CVE-2026-20147 (CVSS score: 9.9): An insufficient validation of user-supplied input in Identity Services Engine (ISE) that could allow an authenticated attacker to execute arbitrary code.
- CVE-2026-20180 and CVE-2026-20186 (CVSS scores: 9.9): Multiple insufficient validation vulnerabilities in ISE that could allow an authenticated attacker to execute commands on the operating system of an affected device.
What's at Risk
The vulnerabilities in the Catalyst and Nexus products could lead to significant disruptions in network operations, including denial of service conditions. The Identity Services and Webex flaws pose severe risks, as they could enable unauthorized access and control over user accounts, potentially leading to data breaches or further exploitation within corporate networks.
Patch Status
Cisco has released patches for the affected products. Users are encouraged to update their systems to the latest versions to mitigate risks. Specifically, for the Identity Services vulnerabilities, users must migrate to fixed releases as specified in the advisory. CVE-2026-20184 does not require customer action as it is cloud-based, but those using SSO should upload a new identity provider SAML certificate.
Immediate Actions
Organizations using affected Cisco products should:
- Review the advisories and apply the necessary updates immediately.
- For Identity Services users, ensure migration to the specified patched releases.
- Monitor for any unusual activity that may indicate exploitation attempts.
- Stay informed through CISA updates and Cisco advisories regarding any further developments or additional vulnerabilities that may arise.
The recent vulnerabilities underscore the importance of timely patch management and proactive monitoring for organizations using Cisco products, especially in light of confirmed exploits in the wild.
