Cisco Addresses Critical Zero-Day Vulnerability in Unified Communications and Webex Calling
Cisco has issued critical security patches to address a zero-day vulnerability in its Unified Communications and Webex Calling systems, which has been actively exploited in recent attacks. The vulnerability, tracked as CVE-2026-20045, poses a significant risk to Cisco's Unified Communications Manager (Unified CM), Unified CM Session Management Edition (SME), Unified CM IM & Presence, Cisco Unity Connection, and Webex Calling Dedicated Instance.
The flaw stems from improper validation of user-supplied input in HTTP requests, enabling attackers to exploit the vulnerability by sending crafted HTTP requests to the web-based management interface of affected devices. A successful exploit could grant attackers user-level access to the underlying operating system and subsequently elevate privileges to root level.
Despite a CVSS score of 8.2, Cisco assigned the vulnerability a Critical severity rating due to the potential for root access on servers. Cisco has released software updates and patch files to address this issue, urging customers to upgrade to the latest software as soon as possible.
The company emphasizes that there are no workarounds to mitigate the flaw without installing the provided updates. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also taken action, adding CVE-2026-20045 to its Known Exploited Vulnerabilities (KEV) Catalog and setting a deadline of February 11, 2026, for federal agencies to deploy the necessary updates.
This incident follows recent security concerns, including a patched Identity Services Engine (ISE) vulnerability with public proof-of-concept exploit code and a zero-day vulnerability in AsyncOS that has been actively exploited since November. As budget season approaches, the 2026 CISO Budget Benchmark report offers valuable insights into how security leaders are planning and prioritizing their investments for the year ahead.
