Cisco has addressed a severe remote code execution (RCE) vulnerability, identified as CVE-2026-20045, impacting its Unified Communications and Webex Calling platforms. This critical flaw has been actively exploited by attackers as a zero-day.
The vulnerability affects several Cisco products, including Unified Communications Manager (Unified CM), Unified CM Session Management Edition (SME), Unified CM IM & Presence, Cisco Unity Connection, and Webex Calling Dedicated Instance.
According to Cisco’s advisory, the flaw stems from improper validation of user-supplied input within HTTP requests. An attacker could exploit this by sending specially crafted HTTP requests to the web-based management interface of a vulnerable device.
Successful exploitation of this vulnerability could grant an attacker user-level access to the underlying operating system, with the potential to then elevate privileges to root.
Despite having a CVSS score of 8.2, Cisco has rated this vulnerability as Critical due to the potential for attackers to achieve root access on affected servers.
Cisco has released software updates and patch files to mitigate this vulnerability:
Cisco Unified CM, Unified CM IM&P, Unified CM SME, and Webex Calling Dedicated Instance Release:
- Version 12.5: Migrate to a fixed release.
- Version 14: Update to 14SU5 or apply patch file: ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512
- Version 15: Update to 15SU4 (expected March 2026) or apply patch files: ciscocm.V15SU2_CSCwr21851_remote_code_v1.cop.sha512, ciscocm.V15SU3_CSCwr21851_remote_code_v1.cop.sha512
Cisco Unity Connection Release:
- Version 12.5: Migrate to a fixed release.
- Version 14: Update to 14SU5 or apply patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512
- Version 15: Update to 15SU4 (expected March 2026) or apply patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512
It is important to review the README documentation for each patch, as updates are version-specific.
Cisco’s Product Security Incident Response Team (PSIRT) has confirmed active exploitation attempts of this vulnerability. Customers are strongly advised to upgrade their software to the latest versions without delay.
There are no known workarounds to mitigate this flaw without installing the provided updates.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20045 to its Known Exploited Vulnerabilities (KEV) Catalog. Federal agencies are mandated to deploy the necessary updates by February 11, 2026.
This month, Cisco also addressed other significant vulnerabilities, including an Identity Services Engine (ISE) flaw with public proof-of-concept exploit code, and an AsyncOS zero-day that had been exploited since November.
