Patches are available for a critical vulnerability in Cisco’s unified communications (UC) products, following detection of the bug being exploited by attackers in the wild.
Unauthenticated remote attackers can execute arbitrary code on the underlying operating system of the UC products, via their web-based management interface.
A successful exploit could allow the attacker to obtain user-level access to the operating system on unpatched devices, and then escalate their privileges to those of the root super-user with full administrative rights.
Improper validation of user-supplied HTTP requests, which attackers can abuse, is behind the remote code execution vulnerability.
Cisco’s Unified Communications Manager (CM), CM SME, CM IM&P, Unity Connection and Webex Dedicated Calling Instance are affected and need to be patched.
There are no workarounds for the flaw which is scored as 8.2 out of 10.
The United States Cybersecurity and Infrastructure Agency (CISA) has added the flaw, tracked as CVE-2026-20045, to its Known Exploited Vulnerabilities must-fix catalogue.