Cisco Fixes Actively Exploited Zero-Day CVE-2026-20045 in Unified CM and Webex

Cisco Fixes Actively Exploited Zero-Day CVE-2026-20045 in Unified CM and Webex

Briefly

""This vulnerability is due to improper validation of user-supplied input in HTTP requests," Cisco said in an advisory. "An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.""

"The critical rating for the flaw is due to the fact that its exploitation could allow for privilege escalation to root, it added. The vulnerability impacts the following products - Unified CM Unified CM Session Management Edition (SME) Unified CM IM & Presence Service (IM&P) Unity Connection Webex Calling Dedicated Instance"

"It has been addressed in the following versions - Cisco Unified CM, CM SME, CM IM&P, and Webex Calling Dedicated Instance - Release 12.5 - Migrate to a fixed release Release 14 - 14SU5 or apply patch file: ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512 Release 15 - 15SU4 (Mar 2026) or apply patch file: ciscocm.V15SU2_CSCwr21851_remote_code_v1.cop.sha512 or ciscocm.V15SU3_CSCwr21851_remote_code_v1.cop.sha512 Cisco Unity Connection Release 12.5 - Migrate to a fixed release Release 14 - 14SU5 or apply patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512 Release 15 - 15SU4 (Mar 2026) or apply patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512"