Cisco fixed actively exploited Unified Communications zero day
January 21, 2026
Cisco patched a critical zero-day RCE flaw (CVE-2026-20045) in Unified Communications and Webex Calling that is actively exploited in the wild.
Cisco patched a critical zero-day remote code execution flaw, tracked as CVE-2026-20045 (CVSS score of 8.2), actively exploited in attacks.
An unauthenticated, remote attacker can exploit the flaw to execute arbitrary commands on the underlying operating system of an affected device.
The bug affected Cisco Unified CM, Unified CM SME, IM & Presence, Unity Connection, and Webex Calling Dedicated Instance.
“This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device.” reads the advisory. “A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.”
Below are impacted versions:
Unified CM, Unified CM IM&P, Unified CM SME, and Webex Calling Dedicated Instance
1. Patches are version-specific. Consult the README attached to the patch for details.
Unity Connection
1. Patches are version-specific. Consult the README attached to the patch for details.
The networking giant confirmed that there are no workarounds that address this vulnerability.
“The Cisco PSIRT is aware of attempted exploitation of this vulnerability in the wild. Cisco strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability.” concludes the advisory.
Early January, Cisco addressed a medium-severity vulnerability, tracked as CVE-2026-20029 (CVSS score: 4.9), in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) after a public PoC exploit was disclosed.
The vulnerability resides in the licensing feature of Cisco ISE and ISE-PIC due to improper XML parsing in the web management interface. An authenticated remote attacker with administrative privileges could exploit it by uploading a malicious file, enabling the reading of arbitrary files on the underlying operating system that should not be accessible, even to administrators.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, CVE-2026-20045)