Cisco Fixes Actively Exploited Zero-Day CVE-2026-20045 in Unified CM and Webex - The Hacker News

Cisco Fixes Actively Exploited Zero-Day CVE-2026-20045 in Unified CM and Webex Ravie LakshmananJan 22, 2026Vulnerability / Zero-Day Cisco has released fresh patches to address what it described as a "critical" security vulnerability impacting multiple Unified Communications (CM) products and Webex Calling Dedicated Instance that it has been actively exploited as a zero-day in the wild. The vulnerability, CVE-2026-20045 (CVSS score: 8.2), could permit an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system of a susceptible device. "This vulnerability is due to improper validation of user-supplied input in HTTP requests," Cisco said in an advisory. "An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root." The critical rating for the flaw is due to the fact that its exploitation could allow for privilege escalation to root, it added. The vulnerability impacts the following products - Unified CM Unified CM Session Management Edition (SME) Unified CM IM & Presence Service (IM&P) Unity Connection Webex Calling Dedicated Instance It has been addressed in the following versions - Cisco Unified CM, CM SME, CM IM&P, and Webex Calling Dedicated Instance - Release 12.5 - Migrate to a fixed release Release 14 - 14SU5 or apply patch file: ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512 Release 15 - 15SU4 (Mar 2026) or apply patch file: ciscocm.V15SU2_CSCwr21851_remote_code_v1.cop.sha512 or ciscocm.V15SU3_CSCwr21851_remote_code_v1.cop.sha512 Cisco Unity Connection  Release 12.5 - Migrate to a fixed release Release 14 - 14SU5 or apply patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512 Release 15 - 15SU4 (Mar 2026) or apply patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512 The networking equipment major also said it's "aware of attempted exploitation of this vulnerability in the wild," urging customers to upgrade to a fixed software release to address the issue. There are currently no workarounds. An anonymous external researcher has been credited with discovering and reporting the bug. The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2026-20045 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by February 11, 2026. The discovery of CVE-2026-20045 comes less than a week after Cisco released updates for another actively exploited critical security vulnerability affecting AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager (CVE-2025-20393, CVSS score: 10.0) that could permit an attacker to execute arbitrary commands with root privileges. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  CISA, cisco, cybersecurity, remote code execution, Vulnerability, Webex, zero-day Trending News Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Load More ▼ Popular Resources Identity Controls Checklist: Find Missing Protections in Apps Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026