You are currently viewing Cisco Unified CM and Webex Security Alert: Active Zero-Day CVE-2026-20045 Fixed

Cisco Unified CM and Webex Security Alert: Active Zero-Day CVE-2026-20045 Fixed

  • Post author:
  • Reading time:4 mins read

Cisco has recently issued security updates to fix a critical vulnerability impacting several Unified Communications Manager (CM) products and Webex Calling Dedicated Instance. Tracked as CVE-2026-20045, the flaw has been actively exploited as a zero-day in real-world attacks, creating a serious risk for affected organizations.

Vulnerability Details

CVE-2026-20045 (CVSS: 8.2) is a critical vulnerability that may allow an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system of an affected device.

According to Cisco, the issue stems from improper validation of user-controlled input in HTTP requests. An attacker could exploit this flaw by sending a series of specially crafted HTTP requests to the device’s web-based management interface. If successfully exploited, this could grant the attacker user-level access to the operating system, with the potential to further escalate privileges to root.

Infection Method

1. Target Identification

The attacker scans the internet or internal network to identify exposed Cisco Unified Communications (UC) products such as Cisco Unified CM, Unified CM SME, Unified CM IM & Presence, Cisco Unity Connection, and Webex Calling Dedicated Instance, typically focusing on systems where the web-based management interface is reachable.

2. Access to Management Interface

After locating a potential target, the attacker attempts to access the device’s web-based management interface over HTTP/HTTPS without needing valid authentication.

3. Delivery of Crafted HTTP Requests

The attacker delivers a sequence of specially crafted HTTP requests containing malicious user-supplied input, leveraging improper validation to manipulate how the application processes the request data.

4. Remote Command Execution

Once the vulnerability is triggered, the attacker is able to execute arbitrary commands on the underlying operating system of the affected device, gaining an initial foothold with user-level privileges.

5. Establishing Initial Foothold

With command execution achieved, the attacker may deploy a lightweight payload such as a web shell or reverse shell, allowing continued interaction with the compromised system and enabling further malicious actions.

6. Privilege Escalation

Following initial access, the attacker may attempt to escalate privileges from user-level access to root, granting full administrative control over the device.

7. Post-Exploitation Activities

After obtaining elevated privileges, the attacker can perform post-compromise actions such as extracting sensitive data, modifying configurations, creating persistence mechanisms, and pivoting laterally to other systems within the organization’s network.

Tactics and Techniques include:

  • TA0002 – Execution: The vulnerability enables attackers to execute arbitrary commands on the affected system.
  • TA0008 – Lateral Movement: Successful exploitation could facilitate lateral movement within the compromised network.
  • TA0006 – Credential Access: Attackers may gain access to sensitive credentials.
  • T1210 – Exploitation of Remote Services: Attackers exploit the remote services to trigger the vulnerability.

Affected Products

The vulnerability impacts the following Cisco products:

  • Unified CM
  • Unified CM Session Management Edition (SME)
  • Unified CM IM & Presence Service (IM&P)
  • Unity Connection
  • Webex Calling Dedicated Instance

Mitigation & Recommendations

Cisco has released software updates and patch files to address this vulnerability. Customers are strongly advised to upgrade to a fixed software release or apply the appropriate patch file as soon as possible.

The specific fixed releases and patch files are as follows:

Cisco Unified CM, CM SME, CM IM&P, and Webex Calling Dedicated Instance:

  • Release 12.5: Migrate to a fixed release
  • Release 14: 14SU5 or apply patch file: ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512
  • Release 15: 15SU4 (Mar 2026) or apply patch file: ciscocm.V15SU2_CSCwr21851_remote_code_v1.cop.sha512 or ciscocm.V15SU3_CSCwr21851_remote_code_v1.cop.sha512

Cisco Unity Connection:

  • Release 12.5: Migrate to a fixed release
  • Release 14: 14SU5 or apply patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512
  • Release 15: 15SU4 (Mar 2026) or apply patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.