Cisco releases emergency updates for a critical remote code execution vulnerability (CVE-2026-20045) affecting Unified Communications and Webex Calling products, warning that attackers have already exploited the flaw to gain root access on vulnerable systems.
Cisco has released critical security updates to address an actively exploited zero-day vulnerability allowing remote attackers to execute arbitrary code and gain full control of affected Unified Communications and Webex Calling systems. Tracked as CVE-2026-20045, this flaw carries a CVSS score of 8.2 and impacts multiple Cisco collaboration products.
Technical Breakdown and Attack Mechanism
The vulnerability stems from improper validation of user-supplied input in HTTP requests. As Cisco's Product Security Incident Response Team (PSIRT) explains in their advisory: "An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root."
This attack vector is particularly dangerous because it requires no authentication and enables complete system compromise. Affected products include:
- Cisco Unified Communications Manager (Unified CM)
- Unified CM Session Management Edition (SME)
- Unified CM IM & Presence
- Cisco Unity Connection
- Webex Calling Dedicated Instance
Patch Requirements and Upgrade Paths
Cisco has released version-specific patches for affected software, emphasizing that administrators must carefully match patches to their deployment versions. The company confirms no workarounds exist to mitigate the vulnerability without applying updates.
| Product | Version | Remediation |
|---|---|---|
| Unified CM/IM&P/SME | 12.5 | Migrate to fixed release |
| 14 | Upgrade to 14SU5 or apply patch ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512 |
|
| 15 | Upgrade to 15SU4 (March 2026) or apply patches ciscocm.V15SU2_CSCwr21851_remote_code_v1.cop.sha512 / ciscocm.V15SU3_CSCwr21851_remote_code_v1.cop.sha512 |
|
| Unity Connection | 12.5 | Migrate to fixed release |
| 14 | Upgrade to 14SU5 or apply patch ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512 |
|
| 15 | Upgrade to 15SU4 or apply patch ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512 |
Administrators should review the patch README documentation before implementation to ensure compatibility.
Immediate Action Required
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20045 to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to patch systems by February 11, 2026. Given the active exploitation and critical nature of this vulnerability—which provides attackers with root-level access—all organizations using affected products should prioritize these updates.
This patch release continues Cisco's recent pattern of addressing critical zero-days, following recent fixes for vulnerabilities in Identity Services Engine (ISE) and AsyncOS systems. The repeated pattern underscores the need for organizations to establish robust patch management processes for collaboration infrastructure.
Comments
Please log in or register to join the discussion