CVE-2026-20045

Name of the Vulnerable Software and Affected Versions Cisco Unified Communications Manager (Unified CM) versions prior to 12.5, 14SU5, and 15SU4 Cisco Unified Communications Manager Session Management Edition (Unified CM SME) versions prior to 12.5, 14SU5, and 15SU4 Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) versions prior to 12.5, 14SU5, and 15SU4 Cisco Unity Connection versions prior to 12.5, 14SU5, and 15SU4 Cisco Webex Calling Dedicated Instance versions prior to 12.5, 14SU5, and 15SU4

Description An issue exists in the web-based management interface due to improper validation of user-supplied input in HTTP requests. A remote, unauthenticated attacker could exploit this by sending a sequence of crafted HTTP requests, allowing them to execute arbitrary commands on the underlying operating system. Successful exploitation provides user-level access, which can then be escalated to root privileges. This flaw has been actively exploited in the wild and is included in CISA's Known Exploited Vulnerabilities catalog. Approximately 1,300 instances of Cisco Unified CM are reported to be exposed to the internet.

Recommendations For Cisco Unified CM, CM SME, CM IM&P, and Webex Calling, upgrade to a fixed release for version 12.5, or apply 14SU5 or 15SU4 (March 2026) patches. For Cisco Unity Connection, upgrade to a fixed release for version 12.5, or apply 14SU5 or 15SU4 (March 2026) patches.