Cisco has addressed a critical vulnerability in its Unified Communications and Webex Calling systems, which was actively being exploited by attackers. The flaw, tracked as CVE-2026-20045, could grant attackers root access to affected servers. Here's a breakdown of the issue and how Cisco is addressing it.
The Vulnerability:
This zero-day exploit stems from improper validation of user-supplied input in HTTP requests. Attackers could craft malicious requests to gain unauthorized access and potentially take control of affected devices. Cisco's advisory highlights the severity: successful exploitation could lead to user-level access and, ultimately, root privileges on the underlying operating system.
Impacted Products:
The vulnerability affects several Cisco products, including:
- Cisco Unified Communications Manager (Unified CM) and its Session Management Edition (SME) and IM & Presence features.
- Cisco Unity Connection.
- Webex Calling Dedicated Instance.
Cisco's Response:
Cisco has released software updates and patch files to address this issue. Here's a breakdown of the affected versions and the recommended fixes:
Cisco Unified CM, Unified CM IM&P, Unified CM SME, and Webex Calling Dedicated Instance:
- Version 12.5: Upgrade to a fixed release.
- Version 14: Apply the patch file ciscocm.V14SU4aCSCwr21851remotecodev1.cop.sha512 (https://software.cisco.com/download/home/286319236/release/14SU4a).
- Version 15: Apply patch files ciscocm.V15SU2CSCwr21851remotecodev1.cop.sha512 (https://software.cisco.com/download/home/286319236/release/15SU2), ciscocm.V15SU3CSCwr21851remotecodev1.cop.sha512 (https://software.cisco.com/download/home/286319236/release/15SU3a).
Cisco Unity Connection:
- Version 12.5: Upgrade to a fixed release.
- Version 14: Apply the patch file ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512 (https://software.cisco.com/download/home/286319533/release/14SU4).
- Version 15: Apply the patch file ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512 (https://software.cisco.com/download/home/286319533/release/15SU3).
Important Notes:
- Cisco emphasizes that these patches are version-specific. Review the README file before applying patches.
- The company's Product Security Incident Response Team (PSIRT) has confirmed that attackers have been actively exploiting this flaw. It strongly urges customers to upgrade to the latest software as soon as possible.
- There are no workarounds for this vulnerability without installing the provided updates.
Federal Agencies and CISA:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20045 to its Known Exploited Vulnerabilities (KEV) Catalog. Federal agencies have until February 11, 2026, to deploy the necessary updates.
Recent Cisco Security Updates:
This fix addresses a critical issue, but it's not Cisco's only recent security update. Earlier this month, the company patched a vulnerability in its Identity Services Engine (ISE) with public proof-of-concept exploit code and addressed a zero-day exploit in AsyncOS that had been actively used since November.
2026 CISO Budget Benchmark:
As budget season approaches, the 2026 CISO Budget Benchmark report offers valuable insights. Over 300 CISOs and security leaders shared their planning, spending, and prioritization strategies for the year ahead. This report allows readers to benchmark their strategies, identify emerging trends, and compare priorities as they prepare for 2026.
Cisco's prompt action in addressing this vulnerability is a reminder of the importance of proactive security measures. As CISOs and security professionals, staying informed about these updates and applying patches promptly is crucial to safeguarding your organization's systems and data.
