CVE-2026-20045
Cisco Unified Communications Products Code Injection Vulnerability - [Actively Exploited]
Description
A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root.
INFO
Published Date :
Jan. 21, 2026, 5:16 p.m.
Last Modified :
Jan. 22, 2026, 2:28 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance contain a code injection vulnerability that could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b ; https://nvd.nist.gov/vuln/detail/CVE-2026-20045
Affected Products
The following products are affected by CVE-2026-20045
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | [email protected] | ||||
| CVSS 3.1 | CRITICAL | [email protected] |
Solution
- Apply Cisco security updates for Unified CM products.
- Update Unified CM SME to the latest version.
- Install patches for Unified CM IM&P.
- Upgrade Cisco Unity Connection and Webex Calling.
Public PoC/Exploit Available at Github
CVE-2026-20045 has a 3 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-20045.
| URL | Resource |
|---|---|
| https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b | Vendor Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20045 | US Government Resource |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-20045 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-20045
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Mirror of https://github.com/nomi-sec/PoC-in-GitHub
CVE-2026-20045
Python
None
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-20045 vulnerability anywhere in the article.
-
Daily CyberSecurity
Under Siege: GTIG Report Exposes North Korean Spies & Russian Drone Hacks in Defense Sector
A new report from Google Threat Intelligence Group (GTIG) paints a stark picture of the modern battlefield, where the front lines have shifted from trenches to server rooms. The defense industrial bas ... Read more
-
Daily CyberSecurity
“Fiber” Optic Failure: Predictable UUIDs Expose Go Web Framework to Hijacking
A critical vulnerability has been uncovered in Fiber, the high-performance web framework for Go that powers countless modern web applications. The flaw, tracked as CVE-2025-66630, carries a CVSS score ... Read more
-
Daily CyberSecurity
Sleeping with the Enemy: Dormant Backdoors Found in Ivanti EPMM
A stealthy new cyber espionage campaign is targeting Ivanti Endpoint Manager Mobile (EPMM), but unlike typical ransomware gangs that smash and grab, these attackers are planting seeds and walking away ... Read more
-
Daily CyberSecurity
CVE-2026-23906: Authentication Bypass Flaw Hits Apache Druid Analytics Clusters
The Apache Software Foundation has released a security update for Apache Druid, the high-performance real-time analytics database, to fix a glaring hole in its authentication logic. Tracked as CVE-202 ... Read more
-
Daily CyberSecurity
CVE-2026-24343: Apache HertzBeat Flaw Opens Door to Resource Exhaustion
The Apache Software Foundation has issued a security advisory for HertzBeat, its AI-powered real-time observability platform, warning of a vulnerability that could allow attackers to overwhelm the sys ... Read more
-
Daily CyberSecurity
Critical SAP Alert: Code Injection (CVSS 9.9) Exposes S/4HANA Databases
SAP has released its security update for February 2026, issuing patches for 26 new vulnerabilities across its enterprise ecosystem. Leading the pack is a critical code injection flaw in SAP CRM and SA ... Read more
-
Daily CyberSecurity
HTTP Down: High-Severity Axios Flaw (CVSS 7.5) Crashes Node.js Servers
A high-severity vulnerability has been discovered in Axios, the immensely popular HTTP client used by millions of developers for Node.js and browser-based applications. The flaw, tracked as CVE-2026-2 ... Read more
-
Daily CyberSecurity
Triple Threat: Critical Gogs Flaws (CVSS 9.3) Allow RCE & 2FA Bypass
A triple threat of security vulnerabilities has been uncovered in Gogs, the popular self-hosted Git service known for its lightweight footprint. The flaws, tracked as CVE-2025-64111, CVE-2025-64175, a ... Read more
-
Daily CyberSecurity
Virtual Invasion: SolarWinds WHD Exploited to Host Hidden QEMU VMs
Image: Microsoft In a striking display of “living off the land” gone wrong, threat actors are turning legitimate administrative tools into stealthy backdoors. The Microsoft Defender Research Team has ... Read more
-
Daily CyberSecurity
Trust Broken: Critical Keylime Flaw (CVSS 9.4) Disables mTLS Authentication
A critical-severity vulnerability has been discovered in Keylime, the open-source tool used by cloud tenants to verify the integrity of their remote systems. Tracked as CVE-2026-1709, the flaw carries ... Read more
-
Daily CyberSecurity
Silent Killer: Black Basta Bundles “BYOVD” Driver to Blind Antivirus
The notorious Black Basta ransomware group has upgraded its arsenal with a dangerous new capability, embedding defense evasion tools directly inside its ransomware payload. A new report by The Threat ... Read more
-
Daily CyberSecurity
CVE-2026-25592: Critical Semantic Kernel Flaw (CVSS 10.0) Allows File Overwrite
Microsoft has issued a critical security advisory for developers using its Semantic Kernel .NET SDK, warning of a vulnerability that could allow AI agents to overwrite sensitive files on the host syst ... Read more
-
Daily CyberSecurity
CVE-2026-25544: Critical Payload CMS SQLi (CVSS 9.8) Exposes Admin Tokens
A massive security hole has been blown open in Payload, the popular “Next.js native CMS” designed to live directly inside application folders. The vulnerability, tracked as CVE-2026-25544, carries a c ... Read more
-
Daily CyberSecurity
Endpoint Exposed: Critical FortiClient EMS Flaw (CVSS 9.1) Allows Unauthenticated RCE
Fortinet has issued a high-priority security advisory for its FortiClient Enterprise Management Server (EMS), warning of a critical SQL injection vulnerability that could allow attackers to execute ar ... Read more
-
Daily CyberSecurity
Speed of Truth: X Trials “Collaborative Notes” to Supercharge Fact-Checking with Grok AI
Since the acquisition of Twitter by Elon Musk and its subsequent transformation into X, Community Notes has emerged as the platform’s quintessential bulwark against misinformation and deceptive narrat ... Read more
-
Daily CyberSecurity
The “All-in-One” Spy: DKnife Malware Hijacks Routers to Swap Downloads
Functions of seven DKnife components | Image: Cisco Talos A powerful new cyber weapon has been discovered lurking in routers and edge devices, capable of monitoring traffic, hijacking downloads, and d ... Read more
-
Daily CyberSecurity
“JackMa” & ShadowGuard: TGR-STA-1030 Spies on 37 Nations via Linux Rootkit
Countries targeted by TGR-STA-1030 reconnaissance between November and December 2025 | Image: Unit 42 A massive, state-aligned cyber espionage campaign has quietly infiltrated government networks acro ... Read more
-
Daily CyberSecurity
CVE-2026-1731: Critical BeyondTrust Flaw (CVSS 9.9) Allows Pre-Auth RCE
BeyondTrust has issued a critical security alert for its popular remote access solutions, warning of a near-maximum severity vulnerability that could allow hackers to seize control of systems without ... Read more
-
Daily CyberSecurity
CVE-2026-25526: Critical Jinjava Flaw (CVSS 9.8) Permits Remote Code Execution
A massive hole has been found in the walls of Jinjava, the popular Java-based template engine used to power thousands of websites on the HubSpot CMS. Tracked as CVE-2026-25526, this critical vulnerabi ... Read more
-
Daily CyberSecurity
Apple’s Golden Jubilee: Foldables, “Synthetic” Siri, and the Rise of Tim Cook’s Successor
As Apple approaches its momentous 50th anniversary on April 1, 2026, the global community watches with bated breath to discern its next strategic evolution. Beyond the allure of impending hardware, a ... Read more
The following table lists the changes that have been made to the
CVE-2026-20045 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Jan. 22, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CPE Configuration OR *cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:-:*:*:* versions from (including) 12.5 up to (excluding) 14su5 *cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:-:*:*:* versions from (including) 15.0 up to (including) 15su3a *cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:session_management:*:*:* versions from (including) 12.5 up to (excluding) 14su5 *cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:session_management:*:*:* versions from (including) 15.0 up to (including) 15su3a *cpe:2.3:a:cisco:unified_communications_manager_im_and_presence_service:*:*:*:*:*:*:*:* versions from (including) 12.5 up to (excluding) 14su5 *cpe:2.3:a:cisco:unified_communications_manager_im_and_presence_service:*:*:*:*:*:*:*:* versions from (including) 15.0 up to (including) 15su3a *cpe:2.3:a:cisco:unity_connection:*:*:*:*:*:*:*:* versions from (including) 12.5 up to (excluding) 14su5 *cpe:2.3:a:cisco:unity_connection:*:*:*:*:*:*:*:* versions from (including) 15.0 up to (including) 15su3 Added Reference Type Cisco Systems, Inc.: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b Types: Vendor Advisory Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20045 Types: US Government Resource -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jan. 21, 2026
Action Type Old Value New Value Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20045 -
New CVE Received by [email protected]
Jan. 21, 2026
Action Type Old Value New Value Added Description A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Added CWE CWE-94 Added Reference https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b