Cisco has fixed a critical Unified Communications and Webex Calling remote code execution vulnerability, tracked as CVE-2026-20045, that has been actively exploited as a zero-day in attacks.
Tracked as CVE-2026-20045, the flaw impacts Cisco Unified Communications Manager (Unified CM), Unified CM Session Management Edition (SME), Unified CM IM & Presence, Cisco Unity Connection, and Webex Calling Dedicated Instance.
"This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device," warns Cisco's advisory.
"A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root."
While the vulnerability has a CVSS score of 8.2, Cisco assigned it a Critical severity rating, as exploitation leads to root access on servers.
Cisco has released the following software updates and patch files to address the vulnerability:
Cisco Unified CM, Unified CM IM&P, Unified CM SME, and Webex Calling Dedicated Instance Release:
Version First Fixed Release 12.5 Migrate to a fixed release. 14 14SU5 or apply patch file:
ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512 15 15SU4 (Mar 2026) or apply patch file:
ciscocm.V15SU2_CSCwr21851_remote_code_v1.cop.sha512
... continue reading