CISA has added CVE-2026-20045, a critical zero-day remote code execution (RCE) vulnerability in Cisco Unified Communications Manager (Unified CM), to its Known Exploited Vulnerabilities (KEV) catalog.
Added on January 21, 2026, this flaw affects multiple Cisco Unified Communications products, including Unified CM, Unified CM Session Management Edition (SME), Unified CM IM & Presence Service, Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance.
Attackers exploit it for code injection, gaining user-level access to the underlying OS and escalating to root privileges.
The vulnerability stems from improper input handling, tied to CWE-94 (Code Injection). Public reports confirm active in-the-wild exploitation, prompting CISA’s urgent directive.
Organizations must patch by the February 11, 2026, due date or apply mitigations per Cisco’s advisory. Failure to act risks full system compromise in enterprise voice and collaboration environments.
CVE-2026-20045 allows remote attackers to inject malicious code via crafted requests to affected services.
Successful exploitation grants initial foothold as a low-privileged user, followed by privilege escalation to root. This enables persistence, data exfiltration, lateral movement, or ransomware deployment across networks.
Cisco rates it high severity, though no CVSS score appears in initial disclosures. Vulnerable versions span recent Unified CM releases; check Cisco’s security advisory for exact ranges.
Exploitation likely targets exposed management interfaces or API endpoints without authentication.
Immediate actions for defenders:
- Upgrade to patched versions: Unified CM 14SU3.10000-5, 15SU5.10000-32, or later.
- Apply workarounds: Restrict access to trusted IPs via ACLs; disable unused services like IM&P if not required.
- Monitor logs for anomalies: Suspicious API calls, unexpected process spawns (e.g., shell from web services).
- Follow BOD 22-01 for cloud instances; discontinue unpatchable EoL products.
No specific Indicators of Compromise (IOCs) are publicly detailed yet, as CISA notes exploitation status as “Unknown” for ransomware ties. However, scan for these potential signs:
| IOC Type | Description | Example Hash/Value |
|---|---|---|
| File | Suspicious binaries from injection | N/A (monitor /opt/cisco/ for anomalies) |
| Network | Anomalous traffic to mgmt ports | TCP/8443, 443 from untrusted sources |
| Process | Root escalations post-injection | ps aux | grep unexpected shells |
| Log | Code injection attempts | /var/log/platform/log/app/logs/* errors |
This addition brings CISA’s KEV to 1,489 entries, emphasizing prioritization.
Unified CM powers VoIP for thousands of enterprises, making it a prime target for nation-states or cybercriminals.
Past Cisco flaws like CVE-2020-2021 showed similar RCE chains leading to breaches.
Cisco urges immediate patching, offering hotfixes for supported branches. For air-gapped systems, manual updates via SFTP.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.