Cisco has released a new patch to address what it describes as a “critical” security vulnerability affecting multiple unified communications (CM) products and Webex Calling dedicated instances. This vulnerability is actively being exploited in the wild as a zero-day attack.
Vulnerability CVE-2026-20045 (CVSS score: 8.2) could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device.
“This vulnerability is due to improper validation of user-supplied input in an HTTP request,” Cisco said in an advisory. “An attacker could exploit this vulnerability by sending a series of crafted HTTP requests to the web-based management interface of an affected device. Successful exploitation could allow the attacker to gain user-level access to the underlying operating system and escalate privileges to root.”
It added that the serious rating given to this flaw is due to the fact that, if exploited, this flaw could allow privilege escalation to root. This vulnerability affects the following products:
Unified CM Unified CM Session Management Edition (SME) Unified CM IM & Presence Service (IM&P) Unity Connection Webex Calling dedicated instance
This issue has been resolved in the following versions:
Cisco Unified CM, CM SME, CM IM&P, and Webex Calling dedicated instances –
Release 12.5 – Fixed Release Migrate to Release 14 – 14SU5 or apply the patch file: ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512 Release 15 – 15SU4 (March 2026) or apply the patch file: ciscocm.V15SU2_CSCwr21851_remote_code_v1.cop.sha512 or ciscocm.V15SU3_CSCwr21851_remote_code_v1.cop.sha512
Cisco Unity Connection
Release 12.5 – Fixed Release Migrate to Release 14 – 14SU5 or apply the patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512 Release 15 – 15SU4 (March 2026) or apply the patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512
The networking equipment giant also said it was “aware of attempts to exploit this vulnerability in the wild” and urged customers to upgrade to a fixed software release that addresses the issue. There is currently no workaround. An anonymous external researcher is said to have discovered and reported this bug.
Due to this development, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20045 to its Known Exploited Vulnerabilities (KEV) Catalog and requires Federal Civilian Executive Branch (FCEB) agencies to apply a fix by February 11, 2026.
The discovery of CVE-2026-20045 comes less than a week after Cisco released an update for another actively exploited critical security vulnerability (CVE-2025-20393, CVSS score: 10.0) affecting AsyncOS software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. This vulnerability could allow an attacker to execute arbitrary commands with root privileges.
Source link
