Cisco has released patches for a critical remote code execution vulnerability in its unified communications products that attackers are actively exploiting. The US Cybersecurity and Infrastructure Security Agency has added the flaw to its Known Exploited Vulnerabilities catalog, confirming the exploitation.
Cisco disclosed CVE-2026-20045 along with patches for Unified Communications Manager, Unity Connection, and Webex Calling Dedicated Instance. The company assigned the vulnerability a “Critical” severity rating despite its CVSS score of 8.2.
“Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates,” the company said in its advisory. “The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root.”
CISA’s addition of the vulnerability to its KEV catalog confirms attackers are exploiting it in the wild. “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA said in its alert.
This is the second actively exploited Cisco vulnerability CISA has added to its KEV catalog in recent weeks. Last week, the agency added CVE-2025-20393, affecting Cisco’s AsyncOS software.
“Other collaboration products, including Contact Center Enterprise, Emergency Responder, Finesse, Unified Intelligence Center, and Unified Contact Center Express, are not vulnerable to CVE-2026-20045,” the advisory added.
Root-level compromise with no user interaction
The vulnerability stems from improper validation of user-supplied input in HTTP requests. “An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device,” Cisco explained in the advisory. “A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.”
The attack requires no user interaction and can be carried out by unauthenticated remote attackers, making it particularly dangerous for internet-facing unified communications deployments, the advisory added.
Cisco’s Product Security Incident Response Team added that it is “aware of attempted exploitation of this vulnerability in the wild,” underscoring the urgency of patching.
No workarounds available
Cisco confirmed in the advisory that there are no workarounds or mitigations available for CVE-2026-20045. The company has released fixes specific to each product version.
For Unified Communications Manager, IM&P, SME, and Webex Calling Dedicated Instance running version 14, the company suggested administrators can upgrade to version 14SU5 or apply a version-specific patch file. Organizations running version 15 can apply version-specific patches for 15SU2 and 15SU3a, with a full release of version 15SU4 expected in March 2026, the company added.
Unity Connection administrators have similar options, with version-specific patch files available for releases 14SU4 and 15SU3.
Organizations still running version 12.5 face a harder choice: Cisco won’t release patches for this version and recommends migrating to a supported release.
“Customers are advised to migrate to a supported release that includes the fix for this vulnerability,” Cisco said in the advisory. Patches are version-specific, and administrators should consult the README files attached to each patch for deployment details, the advisory added.
Federal agencies face a deadline
CISA’s inclusion of CVE-2026-20045 in the KEV catalog triggers mandatory remediation timelines for Federal Civilian Executive Branch agencies under Binding Operational Directive 22-01. Federal agencies must patch the vulnerability within two weeks of its January 21 addition to the catalog.
While BOD 22-01 applies specifically to federal agencies, CISA “strongly recommends” that all organizations treat KEV-listed vulnerabilities as high-priority patching targets. The catalog tracks flaws with confirmed active exploitation, making them significantly more likely to be weaponized against a broader range of targets.
How to patch
Cisco said organizations should check for signs of potential compromise on all internet-accessible instances after applying mitigations. The company advised administrators to review system logs and configurations for any unauthorized changes or suspicious activity that may indicate prior exploitation.
For organizations unable to immediately upgrade to fixed releases, the company said version-specific patch files offer an interim remediation option. However, Cisco noted that patches must match the exact software version running on the device, and administrators should verify compatibility before deployment.