Cisco has published urgent updates to correct a security vulnerability that the company qualifies as critical and is already being exploited in real environments. Identified as CVE-2026-20045 and with a CVSS score of 8.2, the failure allows an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system of affected devices, which can end up in an escalation of privileges to root.
According to Cisco's official notice, the technical origin of the problem is insufficient validation of data provided by the user in HTTP requests addressed to the web management interface. An attacker could send a specially designed sequence of applications and, if successful, first get user access to the system and then raise it to fully control the machine. Cisco describes the attack vector and the products involved in its Security notice.
The solutions published by Cisco cover several editions of its unified communications platform, including instances of Unified Communications Manager (Unified CM), Session Management Edition (SME), IM & Presence Service (IM & P), Unity Connection and the Webex Calling Dedicated Instance offer. For many product branches the general recommendation is to migrate to a corrected version; in other cases Cisco provides specific patch files to be installed. For example, for lines 14 and 15 it is indicated to migrate to 14SU5 or 15SU4 (or apply the .cop packages mentioned by the manufacturer) and for 12.5 the recommendation is to move to a version that includes the correction.
It is important to stress that Cisco has reported that no known alternative solutions which completely mitigate vulnerability, so the only reliable remedy is to update the corrected launches or apply the supplied patches. The company has accredited an anonymous external investigator for the discovery of the failure and has warned about attempts to operate under real conditions, which increases the urgency for the operations teams.
The U.S. government has reacted by including this vulnerability in the Known Exploited Vulnerabilities, KEV catalogue of the CISA. The agency published a note on the incorporation of CVE-2026-20045 to this list on January 21, 2026 and requires that the federal agencies of the civil branch apply the corrections before February 11, 2026, reflecting the severity and risk of active exploitation.
If you manage environments that use Cisco's voice and collaboration products, the immediate priority should be to identify the affected instances and schedule the update as soon as possible. In addition to applying the corrected software, it is appropriate to reduce the exposure of management interfaces: to restrict access to the web interface by means of network access controls, to enable access control lists (ACL) and to force the management panel to be accessible only from secure management networks or through robust VPN tunnels. It is also recommended to review access records and alerts to detect unusual activity that may indicate attempts to operate.
The appearance of this failure comes in a context in which Cisco had already had to publish previous corrections for defects exploited in production; weeks ago another critical vulnerability was reported in AsyncOS for Cisco secure mail gateways that also allowed remote execution with high privileges. This background shows that security and communications infrastructures remain priority targets for attackers seeking persistent entry points in corporate networks.
For technical details, lists of affected versions and patch download links, the primary source is the Cisco notice, which contains specific instructions per product. Managers can also consult the CVE tab in the NIST vulnerability repository for standardized information and cross-references: NVD - CVE-2026-20045.
We must not lose sight of the fact that a successful operation against telephone and messaging components can allow side movements within the network, interception or handling of communications, and in extreme cases serve as a support point for deploying additional malicious loads. Therefore, in addition to patching, it is good practice to review network segmentation, check back-up and make sure that incident response plans are up-to-date and can be activated quickly.
In an increasingly connected world, voice and collaboration systems tend to be seen as peripheral infrastructures, but this episode recalls that they are critical pieces with privileges and connectivity that can be exploited by attackers. The most effective action now is to apply the official patches without delay. and tighten access to administrative consoles until it is confirmed that all instances are updated and monitored.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...