43/69 Friday, January 23, 2026
Cisco has issued a security advisory and released software updates to address CVE-2026-20045, a critical Remote Code Execution (RCE) vulnerability affecting its enterprise communications products, including Cisco Unified Communications Manager (Unified CM), Unified CM SME, Unified CM IM & Presence, Cisco Unity Connection, and Webex Calling Dedicated Instance. Cisco’s Product Security Incident Response Team (PSIRT) has confirmed that the flaw is being actively exploited as a zero-day, prompting Cybersecurity and Infrastructure Security Agency (CISA) to add the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and urge immediate remediation.
The vulnerability stems from insufficient input validation in HTTP requests, allowing an attacker to send specially crafted requests to the web-based management interface of affected systems. Successful exploitation enables initial access at the operating system user level, followed by privilege escalation to root, resulting in full server compromise. Cisco states that no workarounds or mitigations are available; applying the provided software updates or emergency patches is the only effective protection.
Cisco’s remediation guidance by version is as follows:
- Version 12.5: Must be migrated to a newer version with a permanent fix.
- Version 14: Update to 14SU5; if immediate upgrading is not feasible, apply the emergency patch.
- Version 15: The permanent fix 15SU4 is scheduled for release in March 2026; install the emergency patch immediately in the meantime.
Administrators are advised to carefully review the README files for each patch prior to installation to ensure compatibility with their deployed versions.
