Cisco has issued critical security patches for multiple Unified Communications (CM) products and Webex Calling Dedicated Instance to address a zero-day vulnerability, CVE-2026-20045, which has been actively exploited in the wild. The flaw, carrying a CVSS score of 8.2, allows unauthenticated remote attackers to execute arbitrary commands on vulnerable devices, potentially leading to root-level system access.
The vulnerability arises from improper validation of user- supplied input within HTTP requests. Attackers can exploit this by sending specially crafted HTTP requests to the web-based management interface of an affected device. A successful exploitation could grant the attacker user-level operating system access, which can then be escalated to root privileges, posing a significant security risk to organizations relying on these communication systems.
Critical Cisco Unified Communications Vulnerability Exploited in Zero-Day Attacks
The severity of CVE-2026-20045 is amplified by its potential for full system compromise, as indicated by the critical rating assigned by Cisco. The vulnerability impacts several widely used Cisco communication platforms:
- Cisco Unified CM
- Cisco Unified CM Session Management Edition (SME)
- Cisco Unified CM IM & Presence Service (IM&P)
- Cisco Unity Connection
- Cisco Webex Calling Dedicated Instance
Cisco has outlined specific release versions and patch files required to remediate the vulnerability across these products. For Cisco Unified CM, CM SME, CM IM&P, and Webex Calling Dedicated Instance, users are advised to migrate to fixed releases or apply specific patch files. For example, Release 14 requires the application of patch file ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512, while Release 15 may require other specified patch files or a move to 15SU4 forthcoming in March 2026.
Similarly, for Cisco Unity Connection, users on Release 12.5 are recommended to migrate to a fixed release. Release 14 customers should apply patch file ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512, and Release 15 users either move to 15SU4 (March 2026) or apply the same patch file.
Cisco has confirmed awareness of ongoing attempts to exploit this vulnerability, urging customers to implement the necessary software updates promptly. Currently, no workarounds are available to mitigate the risk. The discovery and reporting of this bug are credited to an anonymous external security researcher.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken action by adding CVE-2026-20045 to its Known Exploited Vulnerabilities (KEV) catalog. This inclusion mandates that Federal Civilian Executive Branch (FCEB) agencies must apply the available fixes by February 11, 2026, to bolster their defenses against this critical threat.
This development follows closely on the heels of another significant security announcement from Cisco. Less than a week prior, the company released updates for a separate critical vulnerability (CVE-2025-20393) that was also actively exploited. That flaw affected Cisco Secure Email Gateway and Cisco Secure Email and Web Manager, allowing attackers to execute arbitrary commands with root privileges, highlighting a persistent challenge in maintaining robust cybersecurity across Cisco’s product lines.
The proactive patching by Cisco and the subsequent inclusion of CVE-2026-20045 in CISA’s KEV catalog underscore the urgency for organizations to prioritize these updates. The focus now shifts to the swift implementation of these patches by affected agencies and businesses to prevent further exploitation and secure their communication infrastructures. The upcoming deadlines set by CISA provide a clear roadmap for remediation efforts.