Full Report
Cisco has released fresh patches to address what it described as a "critical" security vulnerability impacting multiple Unified Communications (CM) products and Webex Calling Dedicated Instance that it has been actively exploited as a zero-day in the wild. The vulnerability, CVE-2026-20045 (CVSS score: 8.2), could permit an unauthenticated remote attacker to execute arbitrary commands on the
Analysis Summary
# Vulnerability: Critical RCE in Cisco Unified CM and Webex Calling via Input Validation Flaw
## CVE Details
- CVE ID: CVE-2026-20045
- CVSS Score: 8.2 (High)
- CWE: Not specified in the text.
## Affected Systems
- Products:
- Cisco Unified Communication Manager (Unified CM)
- Unified CM Session Management Edition (SME)
- Unified CM IM & Presence Service (IM&P)
- Cisco Unity Connection
- Webex Calling Dedicated Instance
- Versions:
- **Unified CM/SME/IM&P/Webex Calling Dedicated Instance:**
- Release 12.5: Migrate to a fixed release.
- Release 14: Up to 14SU4. Fixed in 14SU5 or by applying patch `ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512`.
- Release 15: Fixed in 15SU4 (March 2026) or by applying patch `ciscocm.V15SU2_CSCwr21851_remote_code_v1.cop.sha512` or `ciscocm.V15SU3_CSCwr21851_remote_code_v1.cop.sha512`.
- **Unity Connection:**
- Release 12.5: Migrate to a fixed release.
- Release 14: Fixed in 14SU5 or by applying patch `ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512`.
- Release 15: Fixed in 15SU4 (March 2026) or by applying patch `ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512`.
- Configurations: Affected products accessible via their web-based management interface.
## Vulnerability Description
The vulnerability exists due to improper validation of user-supplied input within HTTP requests targeting the web-based management interface. An unauthenticated remote attacker can exploit this flaw by sending a sequence of crafted HTTP requests. Successful exploitation leads to the execution of arbitrary commands on the underlying operating system, initially granting user-level access, with the potential to escalate privileges to root.
## Exploitation
- Status: **Exploited in the wild** (Actively exploited as a zero-day).
- Complexity: Implied Low due to unauthenticated remote access.
- Attack Vector: Network (Remote via HTTP requests).
## Impact
- Confidentiality: Potential compromise leading to user-level access.
- Integrity: Potential compromise leading to arbitrary command execution and privilege escalation.
- Availability: Potential compromise leading to system disruption or takeover.
## Remediation
### Patches
- **Unified CM/SME/IM&P/Webex Calling Dedicated Instance:**
- Upgrade to fixed releases: **14SU5** or **15SU4** (expected March 2026) where applicable, or apply corresponding patch files (e.g., `ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512`).
- Release 12.5 users must migrate to a fixed release.
- **Unity Connection:**
- Upgrade to fixed release **14SU5** or **15SU4**. Apply patch file `ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512`.
- Release 12.5 users must migrate to a fixed release.
### Workarounds
- Currently, **no workarounds** are available. Immediate patching is urged.
## Detection
- **Indicators of Compromise (IoC):** Not explicitly detailed in the text, but organizations should monitor system logs for unusual HTTP requests targeting the management interface followed by unexpected process execution or privilege escalations to root.
- **Detection Methods and Tools:** Check the Affected Systems list for devices that have not yet been patched. Reference CISA's KEV catalog entry for potential threat intelligence feeds related to this CVE.
## References
- Vendor Advisory: sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b (Defanged)
- CISA KEV Catalog: cisa.gov/known-exploited-vulnerabilities-catalog (Defanged)