Cisco has released new software updates to address a critical security vulnerability impacting several of its Unified Communications products and Webex Calling Dedicated Instance, after confirming that the flaw has been actively exploited as a zero day in real world attacks. The company classified the issue as severe due to the risk it poses to enterprise environments that rely on Cisco collaboration infrastructure for voice and messaging services. The vulnerability has been assigned the identifier CVE-2026-20045 and carries a CVSS score of 8.2, reflecting the potential for significant system compromise if left unpatched. Cisco has urged customers to prioritize remediation efforts as there are currently no mitigation workarounds available outside of upgrading to fixed software releases.
According to Cisco’s advisory, the vulnerability stems from improper validation of user supplied input in HTTP requests handled by the web based management interface of affected systems. An unauthenticated remote attacker could exploit the flaw by sending a sequence of specially crafted HTTP requests, enabling them to execute arbitrary commands on the underlying operating system. Successful exploitation could first grant the attacker user level access and then allow further privilege escalation to root. Cisco noted that the ability to elevate privileges significantly increases the severity of the issue, as it could lead to full system control, service disruption, or the deployment of additional malicious tools within enterprise networks. The company confirmed that it is aware of attempted exploitation in the wild, underscoring the urgency for organizations to act.
The affected products include Cisco Unified Communications Manager, Unified CM Session Management Edition, Unified CM IM and Presence Service, Unity Connection, and Webex Calling Dedicated Instance. Cisco has provided guidance on fixed versions for impacted releases. Customers running version 12.5 are required to migrate to a secure release, while those on release 14 are advised to upgrade to 14SU5 or apply the relevant patch files. For release 15, Cisco stated that version 15SU4 scheduled for March 2026 will fully address the issue, with interim patch options available for earlier service updates. Similar upgrade paths and patch guidance have been issued for Cisco Unity Connection across supported versions. An anonymous external researcher has been credited with responsibly disclosing the vulnerability to Cisco, enabling the development of the fixes now being made available.
The disclosure of CVE-2026-20045 has also drawn the attention of U.S. Cybersecurity and Infrastructure Security Agency, which has added the vulnerability to its Known Exploited Vulnerabilities catalog. As a result, Federal Civilian Executive Branch agencies are required to apply the necessary updates by February 11, 2026, in line with federal cybersecurity directives. The incident follows closely on the heels of another serious Cisco security issue disclosed less than a week earlier, involving a critical flaw in AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager that allowed root level command execution. Together, these incidents highlight the continued targeting of widely deployed enterprise communication and security platforms, reinforcing the importance of timely patch management and proactive vulnerability monitoring across organizational environments.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
