Cisco Zero-Day Exploit: CVE-2026-20045 Fixes & Impact

by Priyanka Patel January 22, 2026

written by Priyanka Patel January 22, 2026

“`html

Critical Zero-Day Exploited in Cisco Unified Communications Products

A critical security vulnerability in multiple Cisco Unified Communications products and Webex Calling Dedicated Instance is being actively exploited in the wild, the networking giant disclosed on January 22, 2026. The flaw, tracked as CVE-2026-20045 with a CVSS score of 8.2, allows unauthenticated remote attackers to execute arbitrary commands on affected systems.

The vulnerability stems from improper validation of user-supplied input in HTTP requests. According to a company release, an attacker can exploit this weakness by sending specifically crafted HTTP requests to the web-based management interface of a vulnerable device. A successful exploit could grant the attacker user-level access, with the potential to escalate privileges to root.

“This vulnerability is due to improper validation of user-supplied input in HTTP requests,” Cisco stated.”An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device.”

Did you know? – CVE scores range from 0-10, with 10 being the most severe. A score of 8.2 indicates a high-severity vulnerability requiring prompt attention.

The following products are impacted:

Unified CM
Unified CM Session Management Edition (SME)
Unified CM IM & Presence Service (IM&P)
Unity Connection
Webex Calling Dedicated Instance

Cisco has released software updates to address the vulnerability. Specific versions and required actions include:

Cisco Unified CM, CM SME, CM IM&P, and Webex Calling Dedicated Instance

Release 12.5 – Migrate to a fixed release
Release 14 – 14SU5 or apply patch file: ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512
Release 15 – 15SU4 (March 2026) or apply patch file: ciscocm.V15SU2_CSCwr21851_remote_code_v1.cop.sha512 or ciscocm.V15SU3_CSCwr21851_remote_code_v1.cop.sha512

Cisco Unity Connection

Release 12.5 – Migrate to a fixed release
Release 14 – 14SU5 or apply patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512
Release 15 – 15SU4 (March 2026) or apply patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512

Pro tip – Regularly patching systems is a fundamental security practice. Prioritize updates addressing actively exploited vulnerabilities like CVE-2026-20045.

Cisco confirmed it is aware of active exploitation attempts and emphasizes that no workarounds currently exist. The vulnerability was discovered and reported by an anonymous external researcher.

The severity of the situation prompted the U.S.Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2026-20045 to its Known Exploited Vulnerabilities (KEV) catalog. This designation mandates that Federal Civilian Executive Branch (FCEB) agencies apply the necessary fixes by February 11,2026.

Priyanka Patel

Former software engineer turned tech reporter. Explores AI, cybersecurity, gadgets and start-up culture.

Cisco Zero-Day Exploit: CVE-2026-20045 Fixes & Impact

Critical Zero-Day Exploited in Cisco Unified Communications Products

Related

iPhone 18 Pro & Fold Leak: Price Predictions & New Apple Details

FEI Jumping 2026: Article 259 Warning Explained | Factsheet

You may also like

Leave a Comment Cancel Reply