CVE-2026-20045

What is Cisco Unified Communications Manager?

Cisco Unified Communications Manager (Unified CM) is the core call-processing platform in Cisco's enterprise telephony suite. It provides call routing, signaling, and control for IP phones, video endpoints, and unified communications services across organizations of all sizes. The product family includes Unified CM, Unified CM Session Management Edition (SME), Unified CM IM & Presence Service (IM&P), Unity Connection (voicemail), and Webex Calling Dedicated Instance. Cisco UC is deployed in millions of enterprise and government networks, making it a high-value target for initial access — compromising the communications infrastructure can provide persistent footholds and access to sensitive voice and video data.

Overview

CVE-2026-20045 is a code injection vulnerability in the web-based management interface shared by multiple Cisco Unified Communications products. An unauthenticated remote attacker can send a crafted sequence of HTTP requests to gain initial OS-level command execution, which can then be escalated to root. Cisco confirmed active exploitation as a zero-day prior to patching and CISA added it to the KEV catalog on the same day the advisory was published.

Affected Versions

Technical Details

The vulnerability (CWE-94: Code Injection) exists in the HTTP request handling of the web-based management interface. Insufficient validation of user-supplied input allows an unauthenticated attacker to inject code through a crafted sequence of HTTP requests. Successful exploitation grants initial access at user-level on the underlying OS, which can then be escalated to root using standard privilege escalation techniques.

The management interface need not be internet-facing for exploitation — any network path to the management port is sufficient. The attack vector (AV:N, AC:L, PR:N) makes this particularly dangerous in environments where the management interface is accessible from internal networks without additional access controls, which is common in enterprise UC deployments.

Discovery

An unnamed external security researcher reported the vulnerability to Cisco PSIRT. Cisco does not publicly identify the reporter.

Exploitation Context

Cisco and CISA confirmed active in-the-wild exploitation of this vulnerability as a zero-day before the patch was available. The CISA KEV listing on the publication date of the advisory indicates agencies had already observed exploitation activity. No specific threat actor group has been publicly attributed. The scale of exposure is significant — Cisco Unified Communications products are deployed pervasively across enterprise and government networks globally, and the management interface is often accessible from administrative segments with broad network visibility.

Remediation

1. Upgrade immediately to Cisco Unified CM 14SU5 or 15SU4 (or the equivalent fixed release for IM&P and Unity Connection).
2. Version 12.5 users must migrate to a supported release — no 12.5 patch is available.
3. Webex Calling Dedicated Instance users should contact Cisco for directed mitigation steps.
4. Restrict management interface access — apply firewall rules to limit HTTP/HTTPS access to the management interface to trusted administrative subnets only. Do not expose the management interface to the internet.
5. Review logs for unusual HTTP requests to the management interface, particularly sequences of requests that do not match normal administrative patterns.
6. Monitor for indicators of compromise — unexpected processes running as root, new user accounts, or unusual outbound connections from UC servers.