Cisco Fixes Unified Communications RCE Flaw Under Attack
Threat actors are attempting to exploit the Cisco remote code execution flaw (CVE-2026-20045) in the wild, according to a new security advisory.
Cisco this week released fixes for a vulnerability in its Unified Communications products and warned customers to update as soon as possible, due to attempted exploitation activity.
The remote code execution flaw (CVE-2026-20045) exists in Cisco’s lineup of products for voice, video, and mobility services for endpoints and applications, including Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance.
The flaw stems from improper validation of user-supplied input in HTTP requests. If exploited, it could enable unauthenticated, remote attackers to execute arbitrary commands on the underlying operating system of impacted devices – all they would need to do is send a sequence of crafted HTTP requests to the web-based management interface.
“A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root,” according to Cisco’s Wednesday security release.
The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-20045 to its Known Exploited Vulnerabilities catalog on Wednesday, giving government agencies a deadline of Feb. 11 to apply the patches. While there aren't many details available yet about the exploitation attempts, Cisco in its advisory said that customers should update as soon as possible to the fixed versions for impacted products, which are outlined in its security advisory.
“The Cisco PSIRT is aware of attempted exploitation of this vulnerability in the wild,” said Cisco’s advisory. “Cisco strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability.”
The flaw has a high-severity CVSS score of 8.2 out of 10; however, Cisco said it has assigned its security advisory a critical rating due to the ability of the flaw to elevate attacker privileges to root.
Cisco in recent months has released fixes for actively exploited vulnerabilities. Cisco in December also warned of a zero-day vulnerability in its Cisco AsyncOS software, which is a critical component of the company’s email security appliances used by enterprises. At the time, Cisco said threat actors were exploiting the improper input validation flaw to target a “limited subset of appliances with certain ports open to the internet” that are running AsyncOS Software. While patches were initially unavailable, Cisco on Jan. 15 added fixed releases for this flaw.
Recent Comments
No comments to show.