Key Takeaways
- A zero-day vulnerability, CVE-2026-20045, has been discovered in Cisco’s Unified Communications products, affecting 30 million users.
- The vulnerability allows for remote code execution (RCE) and has been exploited by threat actors, although the source of the activity is unclear.
- Cisco has patched the vulnerability and urges customers to update their software to a fixed version.
- The US Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.
- Threat intelligence vendors warn that the vulnerability is likely to attract more attention from attackers due to its high impact and severity.
Introduction to the Vulnerability
A recent zero-day vulnerability affecting a range of Cisco’s unified communications products has been exploited by threat actors, though details of the activity are unclear. Cisco on Wednesday disclosed and patched CVE-2026-20045, a remote code execution (RCE) vulnerability in Cisco’s Unified Communications Manager (UCM) as well as other products. Cisco’s UCM provides IP-based voice, video, conferencing, and collaboration for enterprises, with 30 million users, making the potential impact of this vulnerability vast. The vulnerability stems from improper validation of user-supplied input in HTTP requests, allowing an attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.
Impact and Severity of the Vulnerability
According to Cisco’s advisory, the flaw has a high-severity CVSS score of 8.2, and Cisco assigned it a proprietary Security Impact Rating (SIR) of critical due to the potential of attackers to achieve root privileges and gain full control over targeted systems. The zero-day vulnerability also impacts Cisco’s Unified Communications Manager Session Management Edition (UCM SME), Unified Communications Manager IM & Presence Service (UCM IM&P), Unity Connection, and Webex Calling Dedicated Instance. The networking giant credited an anonymous "external researcher" with the discovery of the RCE flaw. The vulnerability has been added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog, indicating that it has been exploited in the wild.
Exploitation and Attackers
Cisco’s Product Security Incident Response Team (PSIRT) is aware of attempted exploitation of this vulnerability in the wild, and the company strongly urges customers to update their software to a fixed version. While the source of the exploitation activity is unclear, threat intelligence vendor SOCRadar noted that signs indicate possible mass scanning for vulnerable instances. The observed exploitation behavior points to attackers scanning for exposed or poorly secured Unified Communications Management interfaces and abusing unauthenticated HTTP access to gain a foothold. Arctic Wolf Labs warned that the zero-day flaw was likely to attract more attention from attackers, given the nature and severity of the vulnerability.
History of Cisco Vulnerabilities
Cisco vulnerabilities have been heavily targeted by a variety of threat actors in recent years, most notably by nation-state adversaries tied to the People’s Republic of China (PRC). In September, Cisco disclosed and patched several zero-day vulnerabilities that were used in an ongoing state-sponsored cyber-espionage campaign known as "ArcaneDoor." More recently, Cisco revealed in December that China-nexus threat group UAT-9686 had been exploiting a zero-day flaw that impacts Cisco’s Secure Email Gateway and Secure Email and Web Manager. The critical vulnerability, tracked as CVE-2025-20393, received a max CVSS score of 10 and was patched last week. This history of exploitation highlights the importance of patching vulnerabilities quickly and the need for continued vigilance in protecting against cyber threats.
Conclusion and Recommendations
In conclusion, the zero-day vulnerability affecting Cisco’s unified communications products is a significant threat that has already been exploited by attackers. Cisco has patched the vulnerability, and customers are urged to update their software to a fixed version. The US Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, and threat intelligence vendors warn that the vulnerability is likely to attract more attention from attackers. To protect against this vulnerability, it is essential to patch software quickly and maintain good cybersecurity hygiene, including monitoring for suspicious activity and keeping software up to date. By taking these steps, organizations can reduce the risk of exploitation and protect their systems and data from cyber threats.