Cisco Unified Communications Zero-Day RCE – CVE-2026-20045

Cisco has disclosed a critical zero-day remote code execution (RCE) vulnerability in its Unified Communications (UC) suite, actively exploited in the wild to gain root access.

Vulnerability Details

• CVE ID: CVE-2026-20045
• Severity: Critical (root-level risk, overrides CVSS score).
• Attack vector: Crafted HTTP requests to the web-based management interface.
• Impact:
  • Bypass authentication.
  • Execute arbitrary commands at user level.
  • Escalate privileges to root.
• No workarounds: Exploitation requires network access to the management interface, common in enterprise VoIP setups exposed via firewalls or VPNs.

Affected Products

Product	Bug ID
Unified CM	CSCwr21851
Unified CM SME	CSCwr21851
Unified CM IM&P	CSCwr29216
Unity Connection	CSCwr29208
Webex Calling Dedicated Instance	CSCwr21851

Not affected: Contact Center SIP Proxy, Unified CCE, and others.

Fixed Releases & Patches

Unified CM, IM&P, SME, Webex Calling

• 12.5 → Migrate to fixed release.
• 14 → 14SU5 or 14SU4a patch.
• 15 → 15SU4 (Mar 2026) or 15SU2/3 patches.

Unity Connection

• 12.5 → Migrate to fixed release.
• 14 → 14SU5 or 14SU4 patch.
• 15 → 15SU4 (Mar 2026) or 15SU3 patch.

Exploitation in the Wild

• Cisco PSIRT confirmed real-world exploitation attempts.
• Attackers likely using automated scanners to find exposed interfaces.
• Enterprises with unpatched VoIP/UC deployments face high risk, especially in hybrid work setups.
• CISA has added CVE-2026-20045 to the Known Exploited Vulnerabilities (KEV) catalog.

Defensive Recommendations

• Patch immediately to the fixed releases listed.
• Restrict management interfaces to trusted IPs via firewalls.
• Monitor logs for anomalous HTTP requests.
• Audit exposure: Ensure UC management interfaces are not publicly accessible.
• Incident response: Treat any suspicious activity as potential compromise due to root-level access risk.

Takeaway

CVE-2026-20045 highlights the critical exposure of Unified Communications platforms. With active exploitation confirmed, organizations must patch urgently and lock down management interfaces to prevent attackers from gaining root access to enterprise VoIP infrastructure.