Key Takeaways
- Cisco has released patches to address a critical security vulnerability (CVE-2026-20045) that has been actively exploited as a zero-day in the wild.
- The vulnerability affects multiple Unified Communications (CM) products and Webex Calling Dedicated Instance, and could permit an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system of a susceptible device.
- The vulnerability is due to improper validation of user-supplied input in HTTP requests and can be exploited by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device.
- Cisco has released patches for the affected products, including Unified CM, Unified CM Session Management Edition (SME), Unified CM IM & Presence Service (IM&P), Unity Connection, and Webex Calling Dedicated Instance.
- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20045 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by February 11, 2026.
Introduction to the Vulnerability
Cisco has released fresh patches to address a critical security vulnerability that has been actively exploited as a zero-day in the wild. The vulnerability, CVE-2026-20045, affects multiple Unified Communications (CM) products and Webex Calling Dedicated Instance. According to Cisco, the vulnerability could permit an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system of a susceptible device. This is a significant concern, as it could allow attackers to gain access to sensitive information and disrupt the normal functioning of the affected devices.
Technical Details of the Vulnerability
The vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. The critical rating for the flaw is due to the fact that its exploitation could allow for privilege escalation to root. The vulnerability impacts a range of products, including Unified CM, Unified CM Session Management Edition (SME), Unified CM IM & Presence Service (IM&P), Unity Connection, and Webex Calling Dedicated Instance.
Affected Products and Patches
The vulnerability has been addressed in several versions of the affected products. For example, Cisco Unified CM, CM SME, CM IM&P, and Webex Calling Dedicated Instance have been patched in Release 12.5, Release 14 (14SU5 or apply patch file: ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512), and Release 15 (15SU4 or apply patch file: ciscocm.V15SU2_CSCwr21851_remote_code_v1.cop.sha512 or ciscocm.V15SU3_CSCwr21851_remote_code_v1.cop.sha512). Similarly, Cisco Unity Connection has been patched in Release 12.5, Release 14 (14SU5 or apply patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512), and Release 15 (15SU4 or apply patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512). Cisco has urged customers to upgrade to a fixed software release to address the issue, as there are currently no workarounds.
Exploitation and Response
Cisco has stated that it is aware of attempted exploitation of this vulnerability in the wild. This has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2026-20045 to its Known Exploited Vulnerabilities (KEV) catalog. As a result, Federal Civilian Executive Branch (FCEB) agencies are required to apply the fixes by February 11, 2026. The discovery of CVE-2026-20045 comes less than a week after Cisco released updates for another actively exploited critical security vulnerability affecting AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager (CVE-2025-20393, CVSS score: 10.0). The anonymous external researcher who discovered and reported the bug has been credited by Cisco.
Conclusion and Recommendations
In conclusion, the discovery of CVE-2026-20045 highlights the importance of keeping software up to date and patching vulnerabilities in a timely manner. Cisco’s prompt response to the vulnerability and the release of patches for the affected products are commendable. However, it is essential for customers to take immediate action to apply the fixes and prevent potential exploitation. The U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) addition of CVE-2026-20045 to its Known Exploited Vulnerabilities (KEV) catalog serves as a reminder of the severity of the vulnerability and the need for prompt action. By prioritizing cybersecurity and keeping software up to date, organizations can reduce the risk of exploitation and protect their sensitive information.