Critical Zero-Day in Cisco Unified Communications Exploited in the Wild
Cisco has disclosed CVE-2026-20045, a critical zero-day remote code execution (RCE) vulnerability actively exploited in attacks targeting its Unified Communications (UC) products. The flaw allows unauthenticated attackers to execute arbitrary commands on the underlying operating system, potentially escalating to root-level access.
The vulnerability stems from improper input validation in HTTP requests to the web-based management interface. Attackers can bypass authentication by sending crafted requests, initially executing commands at the user level before escalating privileges. Cisco rated the flaw Critical under its Security Impact Rating (SIR), emphasizing the severity of root-level compromise.
Affected Products
The vulnerability impacts the following Cisco products, regardless of configuration:
- Unified Communications Manager (Unified CM)
- Unified CM Session Management Edition (SME)
- Unified CM IM & Presence Service (IM&P)
- Unity Connection
- Webex Calling Dedicated Instance
Other products, including Contact Center SIP Proxy and Unified CCE, are confirmed unaffected. A full list is available in Cisco’s advisory.
Exploitation & Risk
Cisco’s Product Security Incident Response Team (PSIRT) confirmed real-world exploitation, with attackers likely using automated scanners to target exposed management interfaces. Enterprises running vulnerable VoIP and UC deployments particularly in hybrid work environments face heightened risk, as exploitation only requires network access to the management interface, often exposed via firewalls or VPNs.
No workarounds exist, and Cisco has released patches and fixed releases for affected versions. Organizations must migrate or apply version-specific updates immediately. Key fixed releases include:
- Unified CM, IM&P, SME, Webex Calling: 14SU5, 14SU4a patch, or 15SU4 (March 2026)
- Unity Connection: 14SU5, 14SU4 patch, or 15SU4 (March 2026)
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20045 to its Known Exploited Vulnerabilities Catalog, underscoring the urgency of remediation.
Mitigation & Detection
Cisco recommends:
- Applying patches immediately (no workarounds available).
- Restricting management interface access to trusted IP addresses via firewalls.
- Monitoring logs for anomalous HTTP requests.
The flaw was reported by an external researcher, whom Cisco credited in its advisory. The incident highlights the growing risks to UC platforms amid rising RCE exploitation trends.
Source: https://cybersecuritynews.com/cisco-unified-cm-rce/
Cisco cybersecurity rating report: https://www.rankiteo.com/company/cisco
"id": "CIS1769059373",
"linkid": "cisco",
"type": "Vulnerability",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Enterprises using affected '
'Cisco UC products',
'industry': 'Networking, Unified Communications',
'location': 'Global',
'name': 'Cisco',
'size': 'Enterprise',
'type': 'Technology Vendor'}],
'attack_vector': 'Remote (HTTP requests to web-based management interface)',
'description': 'Cisco has disclosed CVE-2026-20045, a critical zero-day '
'remote code execution (RCE) vulnerability actively exploited '
'in attacks targeting its Unified Communications (UC) '
'products. The flaw allows unauthenticated attackers to '
'execute arbitrary commands on the underlying operating '
'system, potentially escalating to root-level access. The '
'vulnerability stems from improper input validation in HTTP '
'requests to the web-based management interface, enabling '
'attackers to bypass authentication and escalate privileges.',
'impact': {'brand_reputation_impact': 'High (Critical vulnerability with '
'active exploitation)',
'operational_impact': 'Potential root-level access, arbitrary '
'command execution, and system compromise',
'systems_affected': 'Unified Communications Manager (Unified CM), '
'Unified CM Session Management Edition (SME), '
'Unified CM IM & Presence Service (IM&P), '
'Unity Connection, Webex Calling Dedicated '
'Instance'},
'investigation_status': 'Ongoing (reported by external researcher)',
'lessons_learned': 'Highlights growing risks to UC platforms amid rising RCE '
'exploitation trends; emphasizes the need for immediate '
'patching and access restrictions for management '
'interfaces.',
'post_incident_analysis': {'corrective_actions': 'Patching, access '
'restrictions, and enhanced '
'monitoring',
'root_causes': 'Improper input validation in HTTP '
'requests to web-based management '
'interface'},
'recommendations': ['Apply patches immediately (no workarounds available).',
'Restrict management interface access to trusted IP '
'addresses via firewalls.',
'Monitor logs for anomalous HTTP requests.'],
'references': [{'source': 'Cisco Advisory'},
{'source': 'CISA Known Exploited Vulnerabilities Catalog'}],
'regulatory_compliance': {'regulatory_notifications': 'CISA Known Exploited '
'Vulnerabilities '
'Catalog'},
'response': {'communication_strategy': 'Public advisory and patch release',
'containment_measures': 'Restricting management interface access '
'to trusted IP addresses via firewalls',
'enhanced_monitoring': 'Monitoring logs for anomalous HTTP '
'requests',
'remediation_measures': 'Applying patches and fixed releases '
'(14SU5, 14SU4a patch, 15SU4, etc.)'},
'stakeholder_advisories': 'Public advisory and patch release by Cisco PSIRT',
'title': 'Critical Zero-Day in Cisco Unified Communications Exploited in the '
'Wild',
'type': 'Zero-Day Exploitation',
'vulnerability_exploited': 'CVE-2026-20045 (Improper input validation in HTTP '
'requests)'}