Cisco Drops Emergency Patch for Unified Communications Zero-Day Under Active Attack

Cisco has issued an urgent security alert and released patches for a critical zero-day vulnerability (CVE-2026-20045) affecting its core enterprise communication and collaboration tools. Security researchers and Cisco have confirmed that hackers are already exploiting this flaw in the wild to hijack corporate calling and messaging systems.The vulnerability is particularly dangerous because it requires no authentication, meaning an attacker can strike without needing a username or password.

The Details: How It WorksThe flaw exists in the web-based management interface of several Cisco Unified Communications products. It stems from "improper validation of user-supplied input" in HTTP requests. By sending a carefully crafted sequence of these requests, a remote attacker can trick the system into executing malicious code.Initial Access: Attacker gains "user-level" access to the underlying operating system.Privilege Escalation: The attacker can then elevate their access to root privileges.

Full Compromise: With root access, hackers can listen to calls, intercept messages, shut down services, or use the device as a "pivot point" to attack other parts of your internal network.Are You at Risk? Impacted PlatformsThis zero-day impacts both on-premise hardware and cloud-hosted dedicated instances:Cisco Unified Communications Manager (Unified CM / CUCM)Unified CM Session Management Edition (SME)Unified CM IM & Presence Service (IM&P)Cisco Unity Connection (Enterprise voicemail)Webex Calling Dedicated InstanceNote on Version 12.5: Cisco is not releasing a patch for the older 12.5 versions of these products. Organizations running 12.5 are urged to migrate to a newer, supported release immediately to stay protected.

Critical Actions to Take NowCisco warns that there are no workarounds for this vulnerability. Patching is the only way to secure your systems.StepAction1. UpdateApply the version-specific patches (e.g., 14SU5 or 15SU4) provided by Cisco.2. Restrict AccessEnsure management interfaces are not exposed to the public internet.

Use a VPN or IP allow-lists for administrative access.3. Audit LogsCheck your web management logs for unusual or repetitive HTTP requests targeting the management interface.4. DeadlineCISA has added this to the "Known Exploited Vulnerabilities" catalog, setting a mandatory patch deadline of February 11, 2026 for federal agencies.

The flaw, tracked as CVE-2026-20045, allows an unauthenticated attacker to remotely execute malicious code on vulnerable systems and ultimately gain root access to affected servers. Cisco’s Product Security Incident Response Team (PSIRT) confirmed that exploitation attempts have already been observed in the wild, prompting strong warnings for customers to apply patches immediately.

What’s At Risk

The vulnerability affects several widely used Cisco enterprise communication products, including:Cisco Unified Communications Manager (Unified CM) Unified CM Session Management Edition (SME) Unified CM IM & Presence Cisco Unity Connection Webex Calling Dedicated Instance

According to Cisco, the issue stems from improper validation of user-supplied input in HTTP requests sent to the web-based management interface of affected products. By chaining specially crafted requests, an attacker could gain initial user-level access and then escalate privileges to root, giving them full control of the underlying operating system.

Although the flaw carries a CVSS score of 8.2, Cisco rated it Critical due to the severity of impact, because successful exploitation results in root access.

No Workarounds Available

Cisco emphasized that there are no workarounds or configuration changes that can mitigate the issue, making software updates the only effective defense.

“The Cisco PSIRT is aware of attempted exploitation of this vulnerability in the wild. Cisco strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability,” the company said in its advisory.

The company has released version-specific patches and updated software releases for supported versions. Customers running older releases, such as version 12.5, are advised to migrate to fixed releases. Cisco also cautioned administrators to carefully review patch documentation before deployment, as the updates are specific to each software version.

Government Agencies On Deadline

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20045 to its Known Exploited Vulnerabilities (KEV) Catalog, underscoring the active threat. Federal agencies have been given until February 11, 2026, to apply the necessary updates.

The disclosure follows a series of recent security fixes from Cisco. Earlier this month, the company patched a vulnerability in its Identity Services Engine (ISE) after public proof-of-concept exploit code was released, as well as an AsyncOS zero-day that had reportedly been exploited since Novembe

What Customers Should Do

Identify affected products and versions

Apply the appropriate patches or upgrade to fixed releases immediately

Monitor systems for signs of compromise

With active exploitation confirmed and no temporary mitigations available, any delay in updates risks could leave critical communication infrastructure vulnerable to full system takeover.