Cisco has fastened a vital Unified Communications and Webex Calling distant code execution vulnerability, tracked as CVE-2026-20045, that has been actively exploited as a zero-day in assaults.
Tracked as CVE-2026-20045, the flaw impacts Cisco Unified Communications Supervisor (Unified CM), Unified CM Session Administration Version (SME), Unified CM IM & Presence, Cisco Unity Connection, and Webex Calling Devoted Occasion.
“This vulnerability is because of improper validation of user-supplied enter in HTTP requests. An attacker might exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based administration interface of an affected system,” warns Cisco’s advisory.
“A profitable exploit might permit the attacker to acquire user-level entry to the underlying working system after which elevate privileges to root.”
Whereas the vulnerability has a CVSS rating of 8.2, Cisco assigned it a Crucial severity ranking, as exploitation results in root entry on servers.
Cisco has launched the next software program updates and patch recordsdata to handle the vulnerability:
Cisco Unified CM, Unified CM IM&P, Unified CM SME, and Webex Calling Devoted Occasion Launch:
Cisco Unity Connection Launch:
The corporate says the patches are model particular, so the README needs to be reviewed earlier than making use of patches.
Cisco’s Product Safety Incident Response Workforce (PSIRT) has confirmed that makes an attempt to take advantage of the flaw have been noticed within the wild, urging clients to improve to the most recent software program as quickly as potential.
The corporate additionally stated there aren’t any workarounds that may mitigate the flaw with out putting in updates.
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added CVE-2026-20045 to its Identified Exploited Vulnerabilities (KEV) Catalog and given federal businesses till February 11, 2026, to deploy updates.
Earlier this month, Cisco patched a Identification Companies Engine (ISE) vulnerability with public proof-of-concept exploit code and a AsyncOS zero-day exploited since November.
As MCP (Mannequin Context Protocol) turns into the usual for connecting LLMs to instruments and knowledge, security groups are shifting quick to maintain these new companies secure.
This free cheat sheet outlines 7 greatest practices you can begin utilizing right now.
