Amid growing concerns over real-world cyberattacks, Cisco has released urgent security updates to fix a critical zero-day vulnerability affecting several of its Unified Communications products and Webex Calling Dedicated Instance. The flaw has been confirmed as actively exploited in the wild.
The vulnerability, tracked as CVE-2026-20045 with a CVSS score of 8.2, allows an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system of vulnerable systems.
“This vulnerability is due to improper validation of user-supplied input in HTTP requests,” Cisco said in an advisory. “An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.”
Cisco classified the issue as critical because successful exploitation can lead to privilege escalation to root access.
The vulnerability impacts the following products:
- Unified CM
- Unified CM Session Management Edition (SME)
- Unified CM IM & Presence Service (IM&P)
- Unity Connection
- Webex Calling Dedicated Instance
Cisco has released fixes across multiple software versions.
For Cisco Unified CM, CM SME, CM IM&P, and Webex Calling Dedicated Instance:
- Release 12.5: migrate to a fixed release
- Release 14: upgrade to 14SU5 or apply patch file ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512
- Release 15: upgrade to 15SU4 (Mar 2026) or apply patch files ciscocm.V15SU2_CSCwr21851_remote_code_v1.cop.sha512 or ciscocm.V15SU3_CSCwr21851_remote_code_v1.cop.sha512
For Cisco Unity Connection:
- Release 12.5: migrate to a fixed release
- Release 14: upgrade to 14SU5 or apply patch file ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512
- Release 15: upgrade to 15SU4 (Mar 2026) or apply patch file ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512
The company stated it is “aware of attempted exploitation of this vulnerability in the wild” and urged customers to update immediately. No workarounds are currently available. An anonymous external researcher reported the flaw.
The issue has also been added to the Known Exploited Vulnerabilities catalog by the US cyber agency, requiring Federal Civilian Executive Branch agencies to apply fixes by February 11, 2026.
This disclosure follows another Cisco security update released less than a week earlier for a separate actively exploited flaw affecting email security products.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
