Cisco has released a security advisory detailing a serious vulnerability (CVE-2026-20045) affecting several of its Unified Communications platforms. This flaw could allow an unauthenticated attacker to execute arbitrary commands on the underlying operating systems of affected devices, potentially giving them complete control.
What the Vulnerability Is
At its core, the issue stems from improper handling of user-supplied input in HTTP requests that are processed by the web-based management interfaces of affected Cisco products. When these interfaces accept specially crafted requests, they fail to correctly validate the input, which can lead to remote code execution (RCE) at the operating-system level.
This type of flaw is categorized under code injection vulnerabilities, where an attacker constructs malicious data that tricks software into running unintended commands.
Severity and Scoring
Cisco has rated this vulnerability as Critical, reflecting the ease with which it can be exploited and the level of access an attacker could gain. According to the advisory, the issue carries a CVSS v3.1 base score of 8.2, indicating a high level of risk in terms of exploitability and impact.
Importantly, the flaw is remote and unauthenticated, meaning an attacker does not need to log in or have credentials to exploit the issue. A successful attack could allow execution of arbitrary commands and potentially lead to full device compromise.
Affected Products
The vulnerability impacts a number of Cisco’s Unified Communications offerings, which are extensively deployed in enterprise environments for voice, messaging, and presence services. The affected products include:
- Cisco Unified Communications Manager (Unified CM)
- Cisco Unified Communications Manager Session Management Edition (Unified CM SME)
- Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P)
- Cisco Unity Connection
- Cisco Webex Calling Dedicated Instance
These platforms are critical for modern enterprise communication infrastructures. If compromised, they can disrupt voice and messaging services and expose sensitive internal information or systems.
Why This Is Urgent
Cisco’s advisory notes that no workarounds are available to fully prevent exploitation of this vulnerability, aside from applying the official patches and updates provided by Cisco.
Additionally, adversaries are already probing and targeting this flaw in the wild, according to security reporting. This means threat actors are actively seeking to exploit unpatched systems, raising the urgency for immediate remediation.
U.S. Federal Requirements
The vulnerability has also been listed in the Known Exploited Vulnerabilities (KEV) Catalog maintained by Cybersecurity and Infrastructure Security Agency (CISA). Inclusion in this catalog typically triggers mandated remediation deadlines for U.S. federal civilian agencies — in this case with a compliance date of February 11, 2026.
Unified CM, Unified CM IM&P, Unified CM SME, and Webex Calling Dedicated Instance
| Cisco Unified CM, Unified CM IM&P, Unified CM SME, and Webex Calling Dedicated Instance Release | First Fixed Release |
|---|---|
| 12.5 | Migrate to a fixed release. |
| 14 | 14SU5 or apply patch file: ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512 |
| 15 | 15SU4 (Mar 2026) or apply patch file: ciscocm.V15SU2_CSCwr21851_remote_code_v1.cop.sha512 ciscocm.V15SU3_CSCwr21851_remote_code_v1.cop.sha512 |
Unity Connection
| Cisco Unity Connection Release | First Fixed Release |
|---|---|
| 12.5 | Migrate to a fixed release. |
| 14 | 14SU5 or apply patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512 |
| 15 | 15SU4 (Mar 2026) or apply patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512 |
What Administrators Should Do
Given the lack of effective workarounds and the real-world exploitation activity, affected organizations should act immediately to protect their environments:
- Apply Cisco’s security patches or upgrade to the fixed software versions that address this issue.
- Limit access to the web-based management interfaces from untrusted networks, ideally restricting them to internal or VPN-protected segments.
- Monitor network traffic and logs for unusual HTTP requests or traffic targeting the management interface.
- Implement network-level protections such as segmentation, firewalls, and intrusion detection systems to further shield affected systems.
Prompt action is especially critical for organizations that expose these systems directly to public or hybrid networks, as successful exploitation could allow attackers to escalate privileges and fully compromise the systems.
