Exploited Zero-Day Flaw in Cisco UC Could Affect Millions
Summary
Cisco has disclosed and patched CVE-2026-20045, a remote code execution vulnerability in its Unified Communications products, including Unified Communications Manager (UCM), UCM Session Management Edition, IM & Presence Service, Unity Connection, and Webex Calling Dedicated Instance. The flaw arises from improper validation of user-supplied input in HTTP requests to the web-based management interface, allowing an attacker to gain user-level access and potentially escalate to root.
Although the CVSS score is 8.2, Cisco rates the issue as critical via its proprietary Security Impact Rating because successful exploitation can yield full system takeover. Cisco says PSIRT is aware of attempted exploitation in the wild; CISA added the bug to its Known Exploited Vulnerabilities catalogue, and multiple threat intelligence vendors report likely mass scanning and increased attacker interest.
Key Points
- CVE-2026-20045 is an RCE in Cisco Unified Communications products affecting a platform used by millions (Cisco reports ~30 million UCM users).
- The vulnerability results from improper validation of HTTP request input to the management web interface, enabling unauthenticated abuse in some cases.
- Cisco patched the flaw and assigned a critical Security Impact Rating because attackers can potentially achieve root privileges and full control.
- CISA added the vulnerability to its KEV list; vendors such as SOCRadar and Arctic Wolf report evidence of mass scanning and warn of likely exploitation attempts.
- No public proof-of-concept was reported at the time of publication, but active scanning and attempted exploitation have been observed.
- Historic targeting of Cisco products by state-sponsored and criminal groups increases the urgency to patch and mitigate exposure.
- Immediate mitigations: apply Cisco’s provided updates, restrict management interfaces from the public internet, use access controls and network filtering, monitor logs for suspicious HTTP requests, and enforce strong authentication for admin interfaces.
Why should I read this?
Pretty simple: if you run Cisco Unified Communications you need to know about this. It’s a high-impact RCE that can hand attackers root on voice/collaboration kit used by organisations worldwide. Mass scanning is already happening — so patching and locking down management interfaces should be near the top of your to-do list. We’ve skimmed the noise and pulled the urgent bits for you.