Cisco Unified Communications Zero-Day Vulnerability Actively Exploited

This summary covers the active exploitation of a critical zero-day remote code execution vulnerability in Cisco Unified Communications Manager and related products, tracked as CVE-2026-20045, which allows unauthenticated attackers to execute arbitrary commands on affected systems, prompting urgent patching recommendations from Cisco and CISA.

Vulnerability Overview

Cisco Unified Communications Manager (Unified CM) and Webex Calling Dedicated Instance contain a critical remote code execution (RCE) vulnerability designated CVE-2026-20045. This flaw carries a CVSS v3.1 base score of 8.2, classifying it as high severity due to its potential for significant impact on confidentiality, integrity, and availability. The vulnerability arises from insufficient validation of user-supplied input within a specific API endpoint, enabling an unauthenticated remote attacker to craft and submit malicious requests that trigger command injection on the underlying operating system.

Technical Exploitation Details

Attackers exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable web interface, typically exposed on TCP port 443 or 8443. The core issue lies in a deserialization flaw combined with improper neutralization of special elements in the input, allowing OS command injection. For instance, an attacker could append shell metacharacters such as backticks or semicolons to inject commands like whoami or id, escalating to root privileges due to the service running with elevated permissions. Proof-of-concept exploits demonstrate that a simple curl request with a payload like ;/bin/sh can spawn a reverse shell, granting full system access without authentication.

Scope and Affected Versions

The vulnerability impacts multiple versions of Unified CM, including releases 12.5, 14, and 15, as well as Webex Calling Dedicated Instance. Cisco has confirmed active exploitation in the wild, with evidence of targeted attacks against enterprise networks. No authentication is required, making it particularly dangerous for internet-facing instances. Related products like Cisco Unified CM IME, Session Management Edition, and others sharing the same codebase are also susceptible.

Mitigation and Vendor Response

Cisco released emergency patches across all supported branches on January 20, 2026, urging immediate upgrades. There are no available workarounds, as disabling the affected feature would disrupt core telephony services. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-20045 to its Known Exploited Vulnerabilities catalog on January 21, 2026, mandating Federal Civilian Executive Branch agencies to apply mitigations by February 11, 2026. Organizations are advised to implement network segmentation, web application firewalls with custom rules to block anomalous API calls, and enhanced logging for the affected endpoints.

Broader Implications

This incident underscores the persistent threat of zero-day vulnerabilities in network infrastructure, especially in voice and collaboration platforms critical to business operations. Following closely on the heels of another exploited flaw in Cisco Secure Email Gateway (CVE-2025-20393), it highlights the need for rapid patch deployment cycles and proactive threat hunting using endpoint detection tools to identify command-and-control traffic indicative of exploitation.