Cisco fixes Unified Communications RCE zero day exploited in attacks
Cisco has fixed a critical Unified Communications and Webex Calling remote code execution vulnerability, tracked as CVE-2026-20045, that has been actively exploited as a zero-day in attacks.
Tracked as CVE-2026-20045, the flaw impacts Cisco Unified Communications Manager (Unified CM), Unified CM Session Management Edition (SME), Unified CM IM & Presence, Cisco Unity Connection, and Webex Calling Dedicated Instance.
“This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device,” warns Cisco’s advisory.
“A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.”
While the vulnerability has a CVSS score of 8.2, Cisco assigned it a Critical severity rating, as exploitation leads to root access on servers.
Cisco has released the following software updates and patch files to address the vulnerability:
Cisco Unified CM, Unified CM IM&P, Unified CM SME, and Webex Calling Dedicated Instance Release:
| Version | First Fixed Release |
|---|---|
| 12.5 | Migrate to a fixed release. |
| 14 | 14SU5 or apply patch file: ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512 |
| 15 | 15SU4 (Mar 2026) or apply patch file: ciscocm.V15SU2_CSCwr21851_remote_code_v1.cop.sha512 ciscocm.V15SU3_CSCwr21851_remote_code_v1.cop.sha512 |
Cisco Unity Connection Release:
| Version | First Fixed Release |
|---|---|
| 12.5 | Migrate to a fixed release. |
| 14 | 14SU5 or apply patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512 |
| 15 | 15SU4 (Mar 2026) or apply patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512 |
The company says the patches are version specific, so the README should be reviewed before applying patches.
Cisco’s Product Security Incident Response Team (PSIRT) has confirmed that attempts to exploit the flaw have been observed in the wild, urging customers to upgrade to the latest software as soon as possible.
The company also said there are no workarounds that can mitigate the flaw without installing updates.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20045 to its Known Exploited Vulnerabilities (KEV) Catalog and given federal agencies until February 11, 2026, to deploy updates.
Earlier this month, Cisco patched a Identity Services Engine (ISE) vulnerability with public proof-of-concept exploit code and a AsyncOS zero-day exploited since November.
