Exploited Zero-Day Flaw in Cisco UC Could Affect Millions - Dark Reading

ENDPOINT SECURITY CYBER RISK APPLICATION SECURITY VULNERABILITIES & THREATS NEWS Exploited Zero-Day Flaw in Cisco UC Could Affect Millions Mass scanning is underway for CVE-2026-20045, which Cisco tagged as critical because successful exploitation could lead to a complete system takeover. Rob Wright,Senior News Director,Dark Reading January 23, 2026 3 Min Read SOURCE: HJBC VIA ALAMY STOCK PHOTO UPDATE A zero-day vulnerability affecting a range of Cisco's unified communications products has been exploited by threat actors, though details of the activity are unclear. Cisco on Wednesday disclosed and patched CVE-2026-20045, a remote code execution (RCE) vulnerability in Cisco's Unified Communications Manager (UCM) as well as other products. Cisco has 30 million users for UCM, which provides IP-based voice, video, conferencing, and collaboration for enterpises — so the potential impact could be vast. According to Cisco's advisory, the flaw stems from improper validation of user-supplied input in HTTP requests: "An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device," the advisory stated. "A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root." Related:Cylake Offers AI-Native Security Without Relying on Cloud Services While the vulnerability received a high-severity CVSS score of 8.2, Cisco said it assigned CVE-2026-20045 a proprietary Security Impact Rating (SIR) of critical because of the potential of attackers to achieve root privileges and gain full control over targeted systems. The zero-day vulnerability also impacts Cisco's Unified Communications Manager Session Management Edition (UCM SME), Unified Communications Manager IM & Presence Service (UCM IM&P), Unity Connection, and Webex Calling Dedicated Instance. The networking giant credited an anonymous "external researcher" with the discovery of the RCE flaw. Cisco Zero-Day Under Attack, But From Where? Cisco said in the advisory that its Product Security Incident Response Team (PSIRT) "is aware of attempted exploitation of this vulnerability in the wild," and strongly urged customers to update their software to a fixed version. The US Cybersecurity and Infrastructure Security Agency (CISA) also added CVE-2026-20045 to its Known Exploited Vulnerabilities (KEV) catalog on Wednesday. The KEV listing stated that it's unknown if the vulnerability has been exploited in ransomware attacks. Dark Reading contacted Cisco for comment, but the company declined to provide additional information. While the source of the exploitation activity is unclear, threat intelligence vendor SOCRadar noted in a blog post Thursday that signs indicate possible mass scanning for vulnerable instances.  "Although public reports have not attributed the activity to a specific threat group, the observed exploitation behavior points to attackers scanning for exposed or poorly secured Unified Communications Management interfaces and abusing unauthenticated HTTP access to gain a foothold," SOCRadar researchers said. Related:Bug in Google's Gemini AI Panel Opens Door to Hijacking Also on Thursday, Arctic Wolf Labs warned that the zero-day flaw was likely to attract more attention from attackers, given the nature and severity of the vulnerability.  "While Arctic Wolf has not identified a publicly available proof-of-concept exploit [PoC], threat actors are likely to continue targeting this vulnerability due to the high impact of achieving root-level access," the blog post said. "Cisco products have historically been popular targets for threat actors, as reflected in multiple prior entries within CISA’s Known Exploited Vulnerabilities catalog."  Indeed, Cisco vulnerabilities have been heavily targeted by a variety of threat actors in recent years, most notably by nation-state adversaries tied to the People's Republic of China (PRC). In September, Cisco disclosed and patched several zero-day vulnerabilities that were used in an ongoing state-sponsored cyber-espionage campaign known as "ArcaneDoor." More recently, Cisco revealed in December that China-nexus threat group UAT-9686 had been exploiting a zero-day flaw that impacts Cisco's Secure Email Gateway and Secure Email and Web Manager. The critical vulnerability, tracked as CVE-2025-20393, received a max CVSS score of 10 and was patched last week. Related:Scam Abuses Gemini Chatbots to Convince People to Buy Fake Crypto This story was updated at 8 a.m. ET on Jan. 26 to reflect that Cisco declined to comment. About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.  More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE