Active Exploitation of Cisco Unified Communications RCE (CVE-2026-20045)
Cisco released fixes for a critical remote code execution vulnerability in Unified Communications and Webex Calling Dedicated Instance, tracked as CVE-2026-20045, after it was actively exploited as a zero-day. The issue stems from improper validation of user-supplied input in HTTP requests to the web-based management interface; successful exploitation can provide user-level OS access and enable privilege escalation to root. Affected products include Cisco Unified Communications Manager (Unified CM), Unified CM Session Management Edition (SME), Unified CM IM & Presence, Cisco Unity Connection, and Webex Calling Dedicated Instance; Cisco provided version-specific remediations including fixed releases and .cop patch files (e.g., ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512).
CISA added CVE-2026-20045 to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation and highlighting code injection flaws as a common attack vector with significant risk to the federal enterprise. Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch agencies are required to remediate KEV-listed vulnerabilities by the specified due date, and CISA urged all organizations to similarly prioritize patching to reduce exposure to ongoing attacks.
Timeline
Jan 21, 2026
CISA adds CVE-2026-20045 to the KEV catalog
CISA added CVE-2026-20045 to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. The agency set a remediation deadline of 2026-02-11 for Federal Civilian Executive Branch agencies under Binding Operational Directive 22-01.
Jan 21, 2026
Cisco confirms in-the-wild exploitation of CVE-2026-20045
Alongside the advisory, Cisco PSIRT said it had observed exploitation attempts against CVE-2026-20045 in the wild, making the issue a zero-day at disclosure. Reports noted the company did not provide attribution or scope details for the attacks.
Jan 21, 2026
Cisco discloses and patches CVE-2026-20045 in Unified Communications products
Cisco released security fixes for CVE-2026-20045, a critical code injection/remote code execution flaw in multiple Unified Communications products and Webex Calling Dedicated Instance. Cisco said the bug affects the web-based management interface, has no workaround, and can allow unauthenticated attackers to gain OS access and potentially escalate to root.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Sources
5 more from sources like the hacker news, cyber security news, security online info, cyberthrone and bleeping computer
Related Stories
Active Exploitation of Critical RCE Vulnerabilities in Enterprise Infrastructure (Cisco UC and VMware vCenter)
Reports warn of **in-the-wild exploitation** of critical remote code execution vulnerabilities affecting widely deployed enterprise infrastructure. One report describes a purported Cisco Unified Communications zero-day, **CVE-2024-20253**, impacting *Cisco Unified Communications Manager (Unified CM)*, *Cisco Unity Connection*, and *Webex Calling Dedicated Instance*, and claims it enables **unauthenticated command execution** via the web management interface, creating risk of full system compromise and rapid opportunistic scanning of internet-exposed instances. Separately, **CISA added Broadcom VMware vCenter Server CVE-2024-37079** (CVSS 9.8) to the **Known Exploited Vulnerabilities (KEV)** catalog based on evidence of exploitation; the issue is described as a **DCE/RPC heap overflow** that can lead to RCE via specially crafted network packets, and Broadcom updated its advisory to acknowledge observed exploitation. A third item (Rapid7’s Metasploit wrap-up) is not about either of these active-exploitation advisories; it covers new Metasploit modules for unrelated vulnerabilities (e.g., Oracle E-Business Suite **CVE-2025-61882** and Splunk issues), which may increase general exploitation capability but does not substantively corroborate the Cisco or VMware events.
1 months ago
Cisco Patches Critical Firewall Management RCE Vulnerabilities
Cisco released emergency fixes for two **critical (CVSS 10.0)** vulnerabilities in its firewall management software that could allow **remote, unauthenticated attackers** to execute code and gain **root-level** access to the underlying operating system. The issues are tracked as `CVE-2026-20079` and `CVE-2026-20131`, and reporting emphasized the risk profile given Cisco’s widespread deployment in large enterprises and the historical interest of sophisticated actors in rapidly weaponizing Cisco bugs. Available reporting stated there were **no confirmed in-the-wild exploitation** reports at the time of publication, but urged rapid patching due to the combination of unauthenticated reachability and full compromise potential. Separate coverage packaged the Cisco flaws alongside other weekly security items (e.g., Tycoon2FA infrastructure takedown and other incidents), but the Cisco item consistently described the same two maximum-severity firewall management vulnerabilities and their impact (RCE leading to root access).
1 months ago
Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerabilities by UAT-8616
**CISA** ordered U.S. federal civilian agencies to urgently remediate a **critical Cisco Catalyst SD-WAN Manager compromise** tied to **CVE-2026-20127**, a `CVSS 10.0` authentication bypass flaw that allows attackers to obtain high-privilege access without valid credentials. Reporting indicates the activity was uncovered by **CISA** and **Cisco Talos**, which attributed exploitation to **UAT-8616** and assessed that the intrusions date back to 2023. Attackers reportedly maintained persistence by downgrading devices to older vulnerable software and then using the access to reach `NETCONF` and manipulate SD-WAN fabric configuration, creating significant risk for federal networks and other exposed deployments. Additional research shows the campaign is not limited to a single bug. Cisco disclosed in-the-wild exploitation of **CVE-2026-20127** together with **CVE-2022-20775**, an older SD-WAN CLI flaw enabling post-auth privilege escalation and root command execution, while external analysis warned that public proof-of-concept material around `CVE-2026-20127` has been misattributed and may produce incomplete detections. Researchers also highlighted broader exposure across internet-facing SD-WAN Manager instances and warned that **CVE-2026-20133** may present underappreciated risk and could already be seeing exploitation, underscoring that defenders should treat the Cisco SD-WAN issue as an active intrusion and hardening priority rather than a routine patch cycle.
1 months ago