Cisco has fixed a critical Unified Communications and Webex Calling remote code execution vulnerability, tracked as CVE-2026-20045, that has been actively exploited as a zero-day in attacks.
Tracked as CVE-2026-20045, the flaw impacts Cisco Unified Communications Manager (Unified CM), Unified CM Session Management Edition (SME), Unified CM IM & Presence, Cisco Unity Connection, and Webex Calling Dedicated Instance.
“This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device,” warns Cisco’s advisory.
“A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.”
While the vulnerability has a CVSS score of 8.2, Cisco assigned it a Critical severity rating, as exploitation leads to root access on servers.
Cisco has released the following software updates and patch files to address the vulnerability:
Cisco Unified CM, Unified CM IM&P, Unified CM SME, and Webex Calling Dedicated Instance Release:
| Version | First Fixed Release |
|---|---|
| 12.5 | Migrate to a fixed release. |
| 14 | 14SU5 or apply patch file: ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512 |
| 15 | 15SU4 (Mar 2026) or apply patch file: ciscocm.V15SU2_CSCwr21851_remote_code_v1.cop.sha512 ciscocm.V15SU3_CSCwr21851_remote_code_v1.cop.sha512 |
Cisco Unity Connection Release:
| Version | First Fixed Release |
|---|---|
| 12.5 | Migrate to a fixed release. |
| 14 | 14SU5 or apply patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512 |
| 15 | 15SU4 (Mar 2026) or apply patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512 |
The company says the patches are version specific, so the README should be reviewed before applying patches.
Cisco’s Product Security Incident Response Team (PSIRT) has confirmed that attempts to exploit the flaw have been observed in the wild, urging customers to upgrade to the latest software as soon as possible.
The company also said there are no workarounds that can mitigate the flaw without installing updates.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20045 to its Known Exploited Vulnerabilities (KEV) Catalog and given federal agencies until February 11, 2026, to deploy updates.
Earlier this month, Cisco patched a Identity Services Engine (ISE) vulnerability with public proof-of-concept exploit code and a AsyncOS zero-day exploited since November.
The 2026 CISO Budget Benchmark
It’s budget season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.
Learn how top leaders are turning investment into measurable impact.
Related Articles:
Cisco warns of unpatched AsyncOS zero-day exploited in attacks
Cisco finally fixes AsyncOS zero-day exploited since November
New Windows zero-day exploited by 11 state hacking groups since 2017
Google fixes two Android zero days exploited in attacks, 107 flaws
VMware ESXi zero-days likely exploited a year before disclosure