CVE-2026-20045

Name of the Vulnerable Software and Affected Versions Cisco Unified Communications Manager (Unified CM) Cisco Unified Communications Manager Session Management Edition (Unified CM SME) Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) Cisco Unity Connection Cisco Webex Calling Dedicated Instance versions prior to the fixed version

Description A vulnerability exists in Cisco Unified Communications Manager, Unified CM SME, Unified CM IM&P, Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance that could allow a remote attacker to execute arbitrary commands on the underlying operating system. This is due to improper validation of user-supplied input in HTTP requests sent to the web-based management interface. Successful exploitation could grant an attacker user-level access, with the potential to escalate privileges to root. This vulnerability is actively being exploited in the wild. Approximately 1,300 internet-exposed Unified CM instances have been observed. The vulnerability is tracked as CVE-2026-20045 and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to remediate by February 11, 2026. The vulnerability allows unauthenticated remote code execution (RCE) and privilege escalation.

Recommendations Apply the latest security patches released by Cisco to address CVE-2026-20045. Restrict access to the web-based management interface. Monitor systems for malicious HTTP activity.