Cisco has released fresh patches to address what it described as a “critical” security vulnerability impacting multiple Unified Communications (CM) products and Webex Calling Dedicated Instance that it has been actively exploited as a zero-day in the wild.
The vulnerability, CVE-2026-20045 (CVSS score: 8.2), could permit an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system of a susceptible device.
“This vulnerability is due to improper validation of user-supplied input in HTTP requests,” Cisco said in an advisory. “An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.”
The critical rating for the flaw is due to the fact that its exploitation could allow for privilege escalation to root, it added. The vulnerability impacts the following products –
- Unified CM
- Unified CM Session Management Edition (SME)
- Unified CM IM & Presence Service (IM&P)
- Unity Connection
- Webex Calling Dedicated Instance
It has been addressed in the following versions –
Cisco Unified CM, CM SME, CM IM&P, and Webex Calling Dedicated Instance –
- Release 12.5 – Migrate to a fixed release
- Release 14 – 14SU5 or apply patch file: ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512
- Release 15 – 15SU4 (Mar 2026) or apply patch file: ciscocm.V15SU2_CSCwr21851_remote_code_v1.cop.sha512 or ciscocm.V15SU3_CSCwr21851_remote_code_v1.cop.sha512
Cisco Unity Connection
- Release 12.5 – Migrate to a fixed release
- Release 14 – 14SU5 or apply patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512
- Release 15 – 15SU4 (Mar 2026) or apply patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512
The networking equipment major also said it’s “aware of attempted exploitation of this vulnerability in the wild,” urging customers to upgrade to a fixed software release to address the issue. There are currently no workarounds. An anonymous external researcher has been credited with discovering and reporting the bug.
The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2026-20045 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by February 11, 2026.
The discovery of CVE-2026-20045 comes less than a week after Cisco released updates for another actively exploited critical security vulnerability affecting AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager (CVE-2025-20393, CVSS score: 10.0) that could permit an attacker to execute arbitrary commands with root privileges.
