Cisco recently patched a critical code injection vulnerability in its Unified Communications suite, tracked as CVE-2026-20045, which attackers are already exploiting in the wild. This flaw allows unauthenticated remote code execution, posing severe risks to enterprise voice and collaboration infrastructure.
Technical Breakdown
The vulnerability arises from insufficient input validation in HTTP requests to the web management interface. Attackers craft malicious requests to inject code, initially gaining user-level access on the OS before escalating to root privileges for complete system takeover.
CVSS v3.1 score: 8.2 (High), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N. No authentication required makes it highly exploitable.
Impacted Systems
Multiple Cisco products face exposure:
- Cisco Unified Communications Manager (Unified CM)
- Cisco Unified Communications Manager Session Management Edition (Unified CM SME)
- Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P)
- Cisco Unity Connection
- Cisco Webex Calling Dedicated Instance
Patch and CISA Action
Cisco issued fixes through advisory cisco-sa-voice-rce-mORhqY4b—upgrade immediately as no workarounds exist. CISA added it to the Known Exploited Vulnerabilities (KEV) Catalog on January 21, 2026, requiring federal agencies to patch by February 11, 2026.
Recommended Actions
- Apply vendor patches without delay.
- Limit management interface exposure to trusted IP ranges via firewalls.
- Scan logs for suspicious HTTP traffic targeting these endpoints.
- Prioritize if using affected Cisco UC deployments in production.
