"The issue sits in the management interface's HTTP handling and can be triggered without logging in. "This vulnerability is due to improper validation of user-supplied input in HTTP requests," Cisco explains in its advisory. "An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device." Given how often those interfaces are reachable over internal networks or VPNs, it's not hard to see why attackers have noticed."
"It allows unauthenticated remote attackers to execute arbitrary code on the underlying operating system and potentially escalate to root. Cisco's Product Security Incident Response Team gave it a "Critical" severity rating, even though its CVSS base score sits in the "High" range, because successful exploits can lead to full system compromise. The networking giant said it is "aware of attempted exploitation of this vulnerability in the wild" and has urged customers to apply fixes immediately."
A critical vulnerability, CVE-2026-20045, affects web-management interfaces across multiple Cisco Unified Communications products, including Unified CM, Session Management Edition, IM & Presence Service, Cisco Unity Connection, and Webex Calling Dedicated Instance. The flaw permits unauthenticated remote attackers to execute arbitrary code on the underlying operating system and potentially escalate to root by sending crafted HTTP requests that exploit improper validation of user-supplied input. Cisco rated the issue Critical because exploited devices can be fully compromised and confirmed attempted exploitation in the wild. Cisco has urged immediate application of vendor fixes, while affected-customer counts and data-exfiltration status remain unspecified.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]