Networking hardware giant Cisco has moved quickly to address a remote code execution vulnerability in its Unified Communications products, releasing a suite of software updates overnight.
According to Cisco, CVE-2026-20045 is “due to improper validation of user-supplied input in HTTP requests”.
“An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device,” Cisco said in a 21 January security advisory.
“A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.”
CVE-2026-20045 has a CVSS score of 8.2, technically making it a high-severity vulnerability. However, Cisco said it considers the vulnerability to be a critical one because an attacker could elevate their network privileges to root.
Cisco disclosed that hackers are actively exploiting the vulnerability, and the US Cybersecurity and Infrastructure Security Agency has added it to its Known Exploited Vulnerability Catalog.
The following Cisco products are impacted:
- Unified CM (CSCwr21851)
- Unified CM SME (CSCwr21851)
- Unified CM IM&P (CSCwr29216)
- Unity Connection (CSCwr29208)
- Webex Calling Dedicated Instance (CSCwr21851)
Cisco said there are no workarounds for CVE-2026-20045, but it has released software updates for each platform.
You can read Cisco’s full advisory here.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.