CVE-2026-20045

Name of the Vulnerable Software and Affected Versions Cisco Unified Communications Manager versions prior to 12.5 (fixed release), 14SU5, and 15SU4 Cisco Unified Communications Manager Session Management Edition versions prior to 12.5 (fixed release), 14SU5, and 15SU4 Cisco Unified Communications Manager IM & Presence Service versions prior to 12.5 (fixed release), 14SU5, and 15SU4 Cisco Unity Connection versions prior to 12.5 (fixed release), 14SU5, and 15SU4 Cisco Webex Calling Dedicated Instance versions prior to 12.5 (fixed release), 14SU5, and 15SU4

Description An improper validation of user-supplied input in HTTP requests allows an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system of an affected device. By sending a sequence of crafted HTTP requests to the web-based management interface, an attacker can obtain user-level access and subsequently elevate privileges to root. This issue has been actively exploited in the wild and is included in CISA's Known Exploited Vulnerabilities catalog. Approximately 1,300 instances of Cisco Unified CM are exposed to the internet.

Recommendations For Cisco Unified Communications Manager, Unified CM SME, Unified CM IM&P, and Webex Calling, update to a fixed release for version 12.5, or apply the 14SU5 or 15SU4 (March 2026) patches. For Cisco Unity Connection, update to a fixed release for version 12.5, or apply the 14SU5 or 15SU4 (March 2026) patches.