The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw impacting Cisco Unified Communications products to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Cisco Unified Communications products vulnerability, tracked as CVE-2026-20045 (CVSS score of 8.2), to its Known Exploited Vulnerabilities (KEV) catalog.
This week, Cisco patched a critical zero-day remote code execution flaw, tracked as CVE-2026-20045 (CVSS score of 8.2), actively exploited in attacks.
An unauthenticated, remote attacker can exploit the flaw to execute arbitrary commands on the underlying operating system of an affected device.
The bug affected Cisco Unified CM, Unified CM SME, IM & Presence, Unity Connection, and Webex Calling Dedicated Instance.
“This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device.” reads the advisory. “A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.”
Below are impacted versions:
Unified CM, Unified CM IM&P, Unified CM SME, and Webex Calling Dedicated Instance
| Cisco Unified CM, Unified CM IM&P, Unified CM SME, and Webex Calling Dedicated Instance Release | First Fixed Release |
|---|---|
| 12.5 | Migrate to a fixed release. |
| 14 | 14SU5 or apply patch file:1 ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512 |
| 15 | 15SU4 (Mar 2026) or apply patch file:1 ciscocm.V15SU2_CSCwr21851_remote_code_v1.cop.sha512 ciscocm.V15SU3_CSCwr21851_remote_code_v1.cop.sha512 |
1. Patches are version-specific. Consult the README attached to the patch for details.
Unity Connection
| Cisco Unity Connection Release | First Fixed Release |
|---|---|
| 12.5 | Migrate to a fixed release. |
| 14 | 14SU5 or apply patch file:1 ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512 |
| 15 | 15SU4 (Mar 2026) or apply patch file:1 ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512 |
1. Patches are version-specific. Consult the README attached to the patch for details.
The networking giant confirmed that there are no workarounds that address this vulnerability.
“The Cisco PSIRT is aware of attempted exploitation of this vulnerability in the wild. Cisco strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability.” concludes the advisory.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by February 11, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)
