By Lawrence Abrams
Publication Date: 2026-01-21 22:16:00
Cisco has fixed a critical Unified Communications and Webex Calling remote code execution vulnerability, tracked as CVE-2026-20045, that has been actively exploited as a zero-day in attacks.
Tracked as CVE-2026-20045, the flaw impacts Cisco Unified Communications Manager (Unified CM), Unified CM Session Management Edition (SME), Unified CM IM & Presence, Cisco Unity Connection, and Webex Calling Dedicated Instance.
“This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device,” warns Cisco’s advisory.
“A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.”
While the vulnerability has a CVSS score of 8.2, Cisco assigned it a Critical severity rating, as exploitation leads to root access on…
