February 2nd, 2026

Cisco Unified Communications Zero-Day RCE Actively Exploited in the Wild (CVE-2026-20045)

Critical

Cisco has released security updates to address a critical remote code execution (RCE) vulnerability, CVE-2026-20045, affecting several Cisco Unified Communications products and Webex Calling Dedicated Instance. Cisco confirmed that attackers actively exploited this zero-day vulnerability before a patch was available. The vulnerability allows unauthenticated remote attackers to execute arbitrary commands, gain user-level access, and escalate privileges to root. Because these platforms are central to enterprise communications, successful exploitation presents significant operational and security risks.

Technical Details

CVE ID: CVE-2026-20045
Severity: Critical
- NIST (NVD) CVSS v3.1 Score: 9.8 (Critical)
- Cisco (CNA) CVSS v3.1 Score: 8.2 (High)
Vulnerability Type: Remote Code Execution (RCE)
Attack Vector: Unauthenticated remote
Privileges Required: None
User Interaction: None
Affected Products:
- Cisco Unified Communications Manager (Unified CM)
- Unified CM Session Management Edition (SME)
- Unified CM IM & Presence
- Cisco Unity Connection
- Webex Calling Dedicated Instance
Vulnerability Details:
- Cisco identified the vulnerability as stemming from improper validation of user-supplied input in HTTP requests handled by the web-based management interface.
- An unauthenticated attacker can exploit the vulnerability by sending a sequence of crafted HTTP requests to a vulnerable system.
- Cisco’s Product Security Incident Response Team (PSIRT) has confirmed active exploitation attempts in the wild, elevating the urgency of remediation.
Fixed Versions:
- Version 12.5: Migrate to a fixed release.
- Version 14: 14SU5 or apply patch file:
  - ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512
- Version 15: 15SU4 (Mar 2026) or apply patch file:
  - ciscocm.V15SU2_CSCwr21851_remote_code_v1.cop.sha512
  - ciscocm.V15SU3_CSCwr21851_remote_code_v1.cop.sha512
For Cisco Unity Connection:
- Version 12.5: Migrate to a fixed release.
- Version 14: 14SU5 or apply patch file:
  - ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512
- Version 15: 15SU4 (Mar 2026) or apply patch file:
  - ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512

Impact

Successful exploitation of CVE-2026-20045 may allow threat actors to:

Execute arbitrary commands without authentication
Obtain user-level operating system access
Escalate privileges to root, enabling full system control
Compromise enterprise voice, messaging, and collaboration services
Disrupt business-critical communication infrastructure
Establish persistent access and facilitate follow-on attacks

The combination of unauthenticated access, root-level impact, and confirmed in-the-wild exploitation significantly increases the risk to exposed environments.

Detection Method

Organizations should monitor for indicators of attempted or successful exploitation, including:

Suspicious or anomalous HTTP request activity targeting Unified Communications management interfaces
Logs showing malformed or unexpected HTTP requests
Evidence of unauthorized user-level or root-level access
Abnormal system behavior consistent with post-exploitation activity
Presence of affected products running unpatched software versions

Indicators of Compromise

There are no Indicators of Compromise (IOCs) for this Advisory.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

Organizations are strongly advised to:

Immediately apply Cisco-released patches for all affected products
Follow Cisco’s version-specific upgrade guidance, as fixes are dependent on software release trains
Review patch README files prior to deployment
Prioritize remediation for internet-facing or externally accessible systems
Monitor Cisco PSIRT advisories for updates and additional guidance

CISA KEV Requirement: CVE-2026-20045 has been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog. Federal agencies must apply fixes no later than February 11, 2026.

Note: Cisco has stated that no workarounds exist for this vulnerability. Patching is the only effective mitigation.

Conclusion

CVE-2026-20045 poses a critical risk to organizations due to its unauthenticated exploitation, root-level impact, and confirmed active abuse. With no workarounds, timely patching is essential for all affected organizations. Because Cisco Unified Communications infrastructure is widely deployed in enterprises, failing to remediate promptly may cause significant security compromise, service disruption, and operational impact. We urge organizations to assess exposure immediately and deploy the appropriate fixes without delay.

References

https://nvd.nist.gov/vuln/detail/CVE-2026-20045

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b

https://thehackernews.com/2026/01/cisco-fixes-actively-exploited-zero-day.html

https://www.bleepingcomputer.com/news/security/cisco-fixes-unified-communications-rce-zero-day-exploited-in-attacks/

https://cybersecuritynews.com/cisco-unified-cm-rce/