Cisco has warned customers of a critical zero-day vulnerability affecting several of its Unified Communications products, including Cisco Unified Communications Manager (Unified CM), Unified Communications Manager Session Management Edition (Unified CM SME), Unified Communications Manager IM & Presence Service (IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance.
Tracked as CVE-2026-20045, the vulnerability carries a CVSS base score of 8.2 and is classified as Critical due to the potential for privilege escalation to root.
Cisco’s Product Security Incident Response Team (PSIRT) confirmed that the flaw has been actively exploited in the wild, prompting an immediate security response and patch release.
The issue stems from improper input validation in HTTP requests to the web-based management interface of affected devices.
An unauthenticated, remote attacker could exploit the vulnerability by sending specially crafted HTTP requests.
Successful exploitation would allow the attacker to execute arbitrary system commands, gaining user-level access first, and subsequently escalating privileges to root on the underlying Linux operating system.
Cisco notes that while the CVSS score suggests a “High” rating, its Security Impact Rating (SIR) has been raised to Critical because successful exploitation grants complete administrative control of affected systems.
Cisco has released software updates that remediate the issue, but confirmed no workarounds are available.
The company urges all customers to upgrade to the latest fixed releases or apply the available patch files immediately to prevent compromise.
The vulnerability affects all major versions of Unified CM, Unified CM SME, Unified CM IM&P, Cisco Unity Connection, and Webex Calling Dedicated Instance.
Fixed releases include version 14SU5 and the upcoming 15SU4 (scheduled for March 2026), as well as corresponding interim patches.
Affected devices running the following versions are advised to apply the appropriate updates:
- Unified CM, Unified CM SME, IM&P, Webex Dedicated Instance: Fixed in 14SU5 or via patch
ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512 - Unity Connection: Fixed in 14SU5 or via patch
ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512
Earlier releases (12.5 and below) should migrate to supported fixed versions, as no backported patches are available.
Cisco listed several bug IDs associated with this vulnerability: CSCwr21851, CSCwr29208, and CSCwr29216, corresponding to the affected components. The company credited an external researcher for responsibly disclosing the flaw.
Cisco has confirmed that products such as Unified Contact Center Express, Unified Intelligence Center, and Customer Collaboration Platform are not impacted by this issue.
Organizations relying on Cisco Unified Communications infrastructure are strongly advised to:
- Apply patched versions or install the listed
.coppatch files. - Limit external access to Unified Communication management interfaces.
- Monitor for suspicious HTTP activity targeting vulnerable endpoints.
While Cisco has not publicly disclosed specific IoCs related to observed attacks, defenders should monitor for the following potential red flags:
- Unusual or unauthorized HTTP POST requests directed toward Unified CM or Unity web interfaces.
- Unexpected creation of system-level processes under non-root users.
- Privilege escalation attempts or root shell access within Unified CM or Unity systems.
- Outbound connections from communications servers to unrecognized IPs.
Cisco strongly urges immediate patching of affected systems to prevent root-level compromise, as exploitation attempts have already been observed in the wild.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.