CISA Warns of Actively Exploited Cisco Unified CM Zero-Day RCE Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution (RCE) vulnerability affecting Cisco Unified Communications Manager to its Known Exploited Vulnerabilities catalog.

Tracked as CVE-2026-20045, the flaw enables attackers to execute arbitrary code on affected systems and escalate privileges to root level, posing severe risks to enterprise communication infrastructure.

The vulnerability stems from improper code injection validation in multiple Cisco communications products.

Attackers can exploit this weakness to gain initial user-level access to the underlying operating system before laterally escalating privileges to administrative control, creating a complete system compromise scenario.

Affected Products

The code injection vulnerability impacts multiple Cisco Unified Communications products:

• Cisco Unified Communications Manager (Unified CM)
• Cisco Unified Communications Manager Session Management Edition…