Article Details
Scrape Timestamp (UTC): 2026-01-22 04:08:33.793
Source: https://thehackernews.com/2026/01/cisco-fixes-actively-exploited-zero-day.html
Original Article Text
Click to Toggle View
Cisco Fixes Actively Exploited Zero-Day CVE-2026-20045 in Unified CM and Webex. Cisco has released fresh patches to address what it described as a "critical" security vulnerability impacting multiple Unified Communications (CM) products and Webex Calling Dedicated Instance that it has been actively exploited as a zero-day in the wild. The vulnerability, CVE-2026-20045 (CVSS score: 8.2), could permit an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system of a susceptible device. "This vulnerability is due to improper validation of user-supplied input in HTTP requests," Cisco said in an advisory. "An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root." The critical rating for the flaw is due to the fact that its exploitation could allow for privilege escalation to root, it added. The vulnerability impacts the following products - It has been addressed in the following versions - Cisco Unified CM, CM SME, CM IM&P, and Webex Calling Dedicated Instance - Cisco Unity Connection The networking equipment major also said it's "aware of attempted exploitation of this vulnerability in the wild," urging customers to upgrade to a fixed software release to address the issue. There are currently no workarounds. An anonymous external researcher has been credited with discovering and reporting the bug. The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2026-20045 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by February 11, 2026. The discovery of CVE-2026-20045 comes less than a week after Cisco released updates for another actively exploited critical security vulnerability affecting AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager (CVE-2025-20393, CVSS score: 10.0) that could permit an attacker to execute arbitrary commands with root privileges.
Daily Brief Summary
Cisco has issued patches for a critical zero-day vulnerability, CVE-2026-20045, affecting Unified Communications products and Webex Calling, which has been exploited in the wild.
The flaw, with a CVSS score of 8.2, allows unauthenticated remote attackers to execute arbitrary commands and escalate privileges to root on affected systems.
Exploitation is possible through crafted HTTP requests targeting the web-based management interface, due to improper input validation.
Impacted products include Cisco Unified CM, CM SME, CM IM&P, Webex Calling Dedicated Instance, and Cisco Unity Connection.
Cisco urges customers to upgrade to the fixed software release immediately, as no workarounds are available for this vulnerability.
The U.S. CISA has added CVE-2026-20045 to its Known Exploited Vulnerabilities catalog, mandating Federal Civilian Executive Branch agencies to apply fixes by February 11, 2026.
This discovery follows another critical vulnerability update for Cisco Secure Email products, underscoring the ongoing need for vigilance in patch management.