Cisco has disclosed a critical zero-day remote code execution (RCE) vulnerability, CVE-2026-20045, actively exploited in the wild.
Affecting key Unified Communications products, this flaw allows unauthenticated attackers to run arbitrary commands on the underlying OS, potentially gaining root access.
The Cisco Product Security Incident Response Team (PSIRT) confirmed exploitation attempts and urged immediate patching.
The issue stems from improper validation of user-supplied input in HTTP requests to the web-based management interface. An attacker sends crafted HTTP requests that bypass authentication, execute commands at the user level, and then escalate privileges to root. Cisco rated it Critical via Security Impact Rating (SIR), overriding the CVSS score due to root-level risks.
No workarounds exist. Exploitation requires network access to the management interface, common in enterprise VoIP setups exposed via firewalls or VPNs.
Affected Products
This vulnerability impacts these Cisco products regardless of configuration:
ProductBug IDUnified CMCSCwr21851Unified CM SMECSCwr21851Unified CM IM&PCSCwr29216Unity ConnectionCSCwr29208Webex Calling Dedicated InstanceCSCwr21851
Products like Contact Center SIP Proxy, Unified CCE, and others are confirmed unaffected. Check the advisory for full details.
Fixed Releases and Patches
Cisco released updates and patches. Migrate or apply version-specific fixes; consult patch READMEs.
Unified CM, IM&P, SME, Webex Calling
ReleaseFirst Fixed Release12.5Migrate to fixed release1414SU5 or 14SU4a patch1515SU4 (Mar 2026) or 15SU2/3 patches
Unity Connection
ReleaseFirst Fixed Release12.5Migrate to fixed release1414SU5 or 14SU4 patch1515SU4 (Mar 2026) or 15SU3 patch
PSIRT validates only listed releases.
Exploitation in the Wild
Cisco PSIRT detected real-world exploits targeting unpatched systems. Attackers likely leverage automated scanners for exposed interfaces. Enterprises running vulnerable VoIP/UC deployments face high risk, especially in hybrid work environments.
Apply patches immediately. Restrict management interface to trusted IPs via firewalls. Monitor logs for anomalous HTTP requests. CISA added this to the Known Exploited Vulnerabilities soon.
An external researcher reported the flaw; Cisco credited them in the advisory. Stay vigilant: zero-day vulnerabilities like CVE-2026-20045 underscore UC platform risks amid rising RCE trends.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Cisco Unified Communications 0-day RCE Vulnerability Exploited in the Wild to Gain Root Access appeared first on Cyber Security News.
