Executive Summary
An actively exploited zero-day vulnerability in Cisco Unified Communications products allows unauthenticated remote code execution with root privileges via crafted HTTP requests to the web management interface. Cisco rates this Critical due to the root-level access achieved. CISA has added it to the Known Exploited Vulnerabilities (KEV) catalog.
This was a true zero-day — exploited in the wild before patches were available.
Vulnerability Details
| Field | Details |
|---|---|
| CVE | CVE-2026-20045 |
| CVSS | 8.2 (High) / Cisco Critical |
| Type | Unauthenticated Remote Code Execution |
| Vector | Crafted HTTP requests to web management interface |
| Privilege | Root-level access |
| CISA KEV | Yes, remediation deadline February 11, 2026 |
Affected Products
- Cisco Unified Communications Manager (CM)
- Cisco Unified CM Session Management Edition (SME)
- Cisco Unified CM IM & Presence Service
- Cisco Unity Connection
- Cisco Webex Calling Dedicated Instance
These products are deployed in millions of enterprise voice environments worldwide.
Impact
Cisco Unified Communications Manager is the backbone of enterprise voice infrastructure. Root-level compromise could allow an attacker to:
- Intercept voice calls and voicemail
- Redirect calls to attacker-controlled numbers
- Access call records and contact directories
- Pivot into the enterprise network from the UC infrastructure
- Disrupt communications during incident response
Exploitation Activity
This vulnerability was exploited before patches were available, making it a true zero-day. The specific threat actors and attack methodology have not been publicly attributed.
CISA added CVE-2026-20045 to the KEV catalog with a remediation deadline of February 11, 2026, indicating urgency.
Remediation
Immediate Actions
- Apply Cisco patches immediately for all affected UC products
- Restrict management interface access to internal management VLANs only
- Monitor HTTP access logs for unusual requests to management endpoints
- Audit system accounts for unauthorized changes or new accounts
Network Hardening
- Never expose UC management interfaces to the internet
- Implement network segmentation between UC infrastructure and general network
- Deploy IPS rules to detect exploitation attempts
- Enable enhanced logging on all UC components
Detection
Monitor for:
- Unexpected HTTP requests to UC management URLs from non-administrative sources
- New processes or files created on UC servers (especially running as root)
- Changes to call routing tables or dial plans
- Unusual outbound connections from UC infrastructure
Enterprise voice infrastructure is a high-value target. Organizations running Cisco Unified Communications must patch immediately and verify no compromise has occurred.