Cisco has released urgent security updates to patch a critical zero-day vulnerability in its Unified Communications and Webex Calling platforms that has been actively exploited in real-world attacks.
The flaw, tracked as CVE-2026-20045, allows an unauthenticated attacker to remotely execute malicious code on vulnerable systems and ultimately gain root access to affected servers. Cisco’s Product Security Incident Response Team (PSIRT) confirmed that exploitation attempts have already been observed in the wild, prompting strong warnings for customers to apply patches immediately.
What’s At Risk
The vulnerability affects several widely used Cisco enterprise communication products, including:
- Cisco Unified Communications Manager (Unified CM)
- Unified CM Session Management Edition (SME)
- Unified CM IM & Presence
- Cisco Unity Connection
- Webex Calling Dedicated Instance
According to Cisco, the issue stems from improper validation of user-supplied input in HTTP requests sent to the web-based management interface of affected products. By chaining specially crafted requests, an attacker could gain initial user-level access and then escalate privileges to root, giving them full control of the underlying operating system.
Although the flaw carries a CVSS score of 8.2, Cisco rated it Critical due to the severity of impact, because successful exploitation results in root access.
No Workarounds Available
Cisco emphasized that there are no workarounds or configuration changes that can mitigate the issue, making software updates the only effective defense.
“The Cisco PSIRT is aware of attempted exploitation of this vulnerability in the wild. Cisco strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability,” the company said in its advisory.
The company has released version-specific patches and updated software releases for supported versions. Customers running older releases, such as version 12.5, are advised to migrate to fixed releases. Cisco also cautioned administrators to carefully review patch documentation before deployment, as the updates are specific to each software version.
Government Agencies On Deadline
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20045 to its Known Exploited Vulnerabilities (KEV) Catalog, underscoring the active threat. Federal agencies have been given until February 11, 2026, to apply the necessary updates.
The disclosure follows a series of recent security fixes from Cisco. Earlier this month, the company patched a vulnerability in its Identity Services Engine (ISE) after public proof-of-concept exploit code was released, as well as an AsyncOS zero-day that had reportedly been exploited since November.
What Customers Should Do
Organizations using Cisco Unified Communications or Webex Calling Dedicated Instance should:
- Identify affected products and versions
- Apply the appropriate patches or upgrade to fixed releases immediately
- Monitor systems for signs of compromise
With active exploitation confirmed and no temporary mitigations available, any delay in updates risks could leave critical communication infrastructure vulnerable to full system takeover.
