Cisco Patches Actively Exploited Zero-Day RCE Vulnerability
▼ Summary
– Cisco has patched a critical, actively exploited zero-day vulnerability (CVE-2026-20045) allowing remote code execution in multiple Unified Communications and Webex Calling products.
– The flaw stems from improper input validation in HTTP requests, enabling attackers to gain root access on affected servers.
– Cisco has released specific software updates and patch files for various product versions, advising customers to review instructions before applying them.
– There are no available workarounds, and Cisco’s PSIRT confirms exploitation in the wild, urging immediate upgrades.
– The U.S. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, mandating federal agencies to patch by February 11, 2026.
Cisco has released critical security patches to address a severe remote code execution vulnerability, identified as CVE-2026-20045, which attackers are already exploiting in active campaigns. This zero-day flaw affects a wide range of the company’s communication platforms, posing a significant risk to organizations using these systems. The issue stems from a failure to properly validate user input within HTTP requests, allowing malicious actors to send specially crafted sequences to the web management interface of vulnerable devices.
The impacted products include Cisco Unified Communications Manager (Unified CM), its Session Management Edition (SME) and IM & Presence service, Cisco Unity Connection, and Webex Calling Dedicated Instance deployments. By exploiting this vulnerability, an attacker can initially gain user-level access to the underlying operating system and then escalate those privileges to obtain full root-level control over the server. Although the flaw carries a CVSS base score of 8.2, Cisco has classified it with a Critical severity rating due to the direct path it provides to complete system compromise.
Cisco’s advisory provides specific update paths for affected software versions. For Unified CM, IM&P, SME, and Webex Calling Dedicated Instance, users of version 12.5 must migrate to a fixed release. Those on version 14 should upgrade to 14SU5 or apply a designated patch file, while version 15 users need to move to 15SU4 or apply one of two available patches. Similarly, for Cisco Unity Connection, version 12.5 requires migration, version 14 needs 14SU5 or a patch, and version 15 necessitates 15SU4 or a patch. The company emphasizes that these patches are version-specific and advises administrators to carefully review the accompanying README documentation before installation.
The urgency for remediation is high. Cisco’s Product Security Incident Response Team (PSIRT) has confirmed observing exploitation attempts in the wild. The company strongly urges all customers to apply the provided updates immediately. Importantly, Cisco states there are no available workarounds to mitigate this threat without installing the official patches. The severity of the active exploitation has also drawn the attention of U.S. cybersecurity authorities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to apply updates by February 11, 2026.
This security update follows other recent critical patches from Cisco, including fixes for an Identity Services Engine (ISE) vulnerability with public proof-of-concept code and a separate AsyncOS zero-day that has been under attack since November. The consecutive discovery of these high-severity flaws underscores the persistent need for organizations to maintain vigilant patch management practices for all network infrastructure.
(Source: Bleeping Computer)
