Cisco has issued emergency patches to address a dangerous security flaw. This widespread issue now impacts its Unified Communications as a Service (UCaaS) products and Webex Calling Dedicated Instance. The vulnerability is being tracked as CVE-2026-20045. In fact, it has received a Common Vulnerability Scoring System (CVSS) score of 8.2, putting it in the serious category. This vulnerability lets unauthenticated remote adversaries run arbitrary commands. It exposes the organizations that utilize these vulnerable devices to serious danger.
Unfortunately, the recent discovery of CVE-2026-20045 is not an isolated incident, as another critical vulnerability, CVE-2025-20393, was disclosed just a week prior and it presented similar risks. Now Cisco has identified that attackers are actively attempting to exploit this vulnerability in the wild. As a consequence, they have rushed to release patches in order to fix the flaw.
Details of the Vulnerability
CVE-2026-20045 exists because there isn’t proper input validation of user-supplied input in HTTP requests. This dangerous technical vulnerability can allow assailants to gain root privileges on the system. A critical-rated vulnerability exposes multiple releases of Cisco’s Unified CM products. This goes for Cisco Unity Connection, which has multiple fixed releases available on multiple versions.
For Release 12.5, it is recommended that users switch to a fixed release. Meanwhile, those using Release 14 should upgrade to version 14SU5 or apply the patch file: ciscocm.cuc. Additionally, Cisco Unity Connection Release 15 users must transition to version 15SU4 by March 2026 or utilize the patch file: ciscocm.
“This vulnerability is due to improper validation of user-supplied input in HTTP requests,” – Cisco
CISA Involvement and Compliance Deadlines
Our own U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a critical weakness. They added CVE-2026-20045 to their Known Exploited Vulnerabilities (KEV) catalog. Now it’s time for Federal Civilian Executive Branch (FCEB) agencies to put those addresses and more importantly, those fixes into action. Fortunately, they have until February 11, 2026 to do so. This requirement places a needed burden toward compliance on federal agencies, stressing the immediate threat that this security vulnerability presents.
Cisco’s proactive measures in releasing these patches send a strong signal about its commitment to protecting its customers from cybersecurity threats. The company says it’s tracking the situation very carefully. We strongly recommend consumers of the products mentioned to update to safe versions as soon as possible.
Recent Vulnerabilities and Ongoing Risks
Newly announced Cisco CVE-2026-20045 is a case in point. This announcement comes only days after they reported on the critical vulnerability CVE-2025-20393 with the highest CVSS score of 10.0. According to Cisco, attackers took advantage of this vulnerability to execute arbitrary commands with root privileges. In retort, Cisco published the recommended patch files to address the implicated dangers.
Cybersecurity threats and vulnerabilities are changing at an unprecedented speed. Organizations adopting Cisco’s communications solutions will need to be ever watchful and take a proactive approach to applying security updates. Cisco wants businesses to remember that knowing where vulnerabilities can be found is key to ensuring proactive, well-informed cybersecurity defenses.
“We are aware of attempted exploitation of this vulnerability in the wild,” – Cisco
