Cyber: Cisco Fixes Unified Communications RCE Zero Day Exploited In Attacks

Cisco has fixed a critical Unified Communications and Webex Calling remote code execution vulnerability, tracked as CVE-2026-20045, that has been actively exploited as a zero-day in attacks.

Tracked as CVE-2026-20045, the flaw impacts Cisco Unified Communications Manager (Unified CM), Unified CM Session Management Edition (SME), Unified CM IM & Presence, Cisco Unity Connection, and Webex Calling Dedicated Instance.

"This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device," warns Cisco's advisory.

"A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root."

While the vulnerability has a CVSS score of 8.2, Cisco assigned it a Critical severity rating, as exploitation leads to root access on servers.

Cisco has released the following software updates and patch files to address the vulnerability:

Cisco Unified CM, Unified CM IM&P, Unified CM SME, and Webex Calling Dedicated Instance Release:

The company says the patches are version specific, so the README should be reviewed before applying patches.

Cisco's Product Security Incident Response Team (PSIRT) has confirmed that attempts to exploit the flaw have been observed in the wild, urging customers to upgrade to the latest software as soon as possible.

The company also said there are no workarounds that can mitigate the flaw without installing updates.

Source: BleepingComputer