Critical Zero-Day Vulnerability in Cisco Unified Communications Exploited to Gain Root Access
Cisco has recently disclosed a critical zero-day remote code execution (RCE) vulnerability, identified as CVE-2026-20045, which is actively being exploited in the wild. This flaw affects several key Unified Communications products, allowing unauthenticated attackers to execute arbitrary commands on the underlying operating system, potentially escalating privileges to root access.
Vulnerability Overview
The vulnerability arises from improper validation of user-supplied input in HTTP requests directed at the web-based management interface of affected devices. By sending specially crafted HTTP requests, an attacker can bypass authentication mechanisms, execute commands at the user level, and subsequently elevate privileges to root. Cisco has assigned this vulnerability a Security Impact Rating (SIR) of Critical, emphasizing the severe risk posed by potential root-level access.
Affected Products
The following Cisco products are impacted by this vulnerability, regardless of their configuration:
– Unified Communications Manager (Unified CM)
– Unified Communications Manager Session Management Edition (Unified CM SME)
– Unified Communications Manager IM & Presence Service (Unified CM IM&P)
– Unity Connection
– Webex Calling Dedicated Instance
Products such as Contact Center SIP Proxy, Unified Contact Center Enterprise (UCCE), and others have been confirmed as unaffected. For a comprehensive list and detailed information, refer to Cisco’s official advisory.
Fixed Releases and Patches
Cisco has released updates and patches to address this vulnerability. Administrators are urged to migrate to the fixed releases or apply the appropriate patches as specified:
Unified CM, IM&P, SME, Webex Calling:
– Release 12.5: Migrate to a fixed release.
– Release 14: Upgrade to 14SU5 or apply the 14SU4a patch.
– Release 15: Upgrade to 15SU4 (available March 2026) or apply patches for 15SU2/3.
Unity Connection:
– Release 12.5: Migrate to a fixed release.
– Release 14: Upgrade to 14SU5 or apply the 14SU4 patch.
– Release 15: Upgrade to 15SU4 (available March 2026) or apply the 15SU3 patch.
It’s important to note that Cisco’s Product Security Incident Response Team (PSIRT) validates only the releases listed above.
Exploitation in the Wild
Cisco’s PSIRT has observed active exploitation attempts targeting unpatched systems. Attackers are likely utilizing automated tools to scan for exposed management interfaces. Organizations with vulnerable VoIP and Unified Communications deployments are at significant risk, particularly in hybrid work environments where such systems are more exposed.
Recommended Actions
Given the severity of this vulnerability and its active exploitation, immediate action is imperative:
1. Apply Patches Promptly: Ensure that all affected systems are updated to the fixed releases or have the appropriate patches applied.
2. Restrict Access: Limit access to the web-based management interface to trusted IP addresses through firewall configurations.
3. Monitor Logs: Regularly review system logs for unusual HTTP requests or other indicators of compromise.
The Cybersecurity and Infrastructure Security Agency (CISA) is expected to add this vulnerability to its Known Exploited Vulnerabilities catalog shortly, underscoring the critical nature of this issue.
Conclusion
The disclosure of CVE-2026-20045 highlights the ongoing challenges in securing Unified Communications platforms. Organizations must remain vigilant, promptly apply security updates, and implement robust access controls to mitigate the risks associated with such vulnerabilities.
