Cisco Fixes Actively Exploited Zero-Day CVE-2026-20045 in Unified CM and Webex

Posted on By CWS

Ravie LakshmananJan 22, 2026Vulnerability / Zero-Day
Cisco has launched contemporary patches to deal with what it described as a “crucial” safety vulnerability impacting a number of Unified Communications (CM) merchandise and Webex Calling Devoted Occasion that it has been actively exploited as a zero-day within the wild.
The vulnerability, CVE-2026-20045 (CVSS rating: 8.2), may allow an unauthenticated distant attacker to execute arbitrary instructions on the underlying working system of a inclined system.
“This vulnerability is because of improper validation of user-supplied enter in HTTP requests,” Cisco stated in an advisory. “An attacker may exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based administration interface of an affected system. A profitable exploit may permit the attacker to acquire user-level entry to the underlying working system after which elevate privileges to root.”

The crucial ranking for the flaw is because of the truth that its exploitation may permit for privilege escalation to root, it added. The vulnerability impacts the next merchandise –

Unified CM
Unified CM Session Administration Version (SME)
Unified CM IM & Presence Service (IM&P)
Unity Connection
Webex Calling Devoted Occasion

It has been addressed within the following variations –
Cisco Unified CM, CM SME, CM IM&P, and Webex Calling Devoted Occasion –

Launch 12.5 – Migrate to a set launch
Launch 14 – 14SU5 or apply patch file: ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512
Launch 15 – 15SU4 (Mar 2026) or apply patch file: ciscocm.V15SU2_CSCwr21851_remote_code_v1.cop.sha512 or ciscocm.V15SU3_CSCwr21851_remote_code_v1.cop.sha512

Cisco Unity Connection

Launch 12.5 – Migrate to a set launch
Launch 14 – 14SU5 or apply patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512
Launch 15 – 15SU4 (Mar 2026) or apply patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512

The networking gear main additionally stated it is “conscious of tried exploitation of this vulnerability within the wild,” urging clients to improve to a set software program launch to deal with the problem. There are at the moment no workarounds. An nameless exterior researcher has been credited with discovering and reporting the bug.
The event has prompted the U.S. Cybersecurity and Infrastructure Safety Company (CISA) so as to add CVE-2026-20045 to its Recognized Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Government Department (FCEB) companies to use the fixes by February 11, 2026.
The invention of CVE-2026-20045 comes lower than per week after Cisco launched updates for an additional actively exploited crucial safety vulnerability affecting AsyncOS Software program for Cisco Safe E mail Gateway and Cisco Safe E mail and Internet Supervisor (CVE-2025-20393, CVSS rating: 10.0) that would allow an attacker to execute arbitrary instructions with root privileges.

The Hacker News Tags:, , , , , , ,

Related Posts

Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks The Hacker News
EvilAI Malware Masquerades as AI Tools to Infiltrate Global Organizations The Hacker News
TAG-140 Deploys DRAT V2 RAT, Targeting Indian Government, Defense, and Rail Sectors The Hacker News
New Win-DDoS Flaws Let Attackers Turn Public Domain Controllers into DDoS Botnet via RPC, LDAP The Hacker News
Critical n8n Flaw (CVSS 9.9) Enables Arbitrary Code Execution Across Thousands of Instances The Hacker News
Soco404 and Koske Malware Target Cloud Services with Cross-Platform Cryptomining Attacks The Hacker News