Article Details

Another week, another emergency patch as Cisco plugs Unified Comms zero-day. The critical-rated flaw leaves unpatched systems open to full takeover. Cisco has finally shipped a fix for a critical-rated zero-day in its Unified Communications gear, a flaw that's already being weaponized in the wild, and which CISA previously flagged as an emergency priority. The bug, tracked as CVE-2026-20045, lurks in the web-management interfaces of Cisco Unified Communications Manager (Unified CM), Session Management Edition (SME), IM & Presence Service (IM&P), Cisco Unity Connection, and Webex Calling Dedicated Instance platforms. It allows unauthenticated remote attackers to execute arbitrary code on the underlying operating system and potentially escalate to root.  Cisco's Product Security Incident Response Team gave it a "Critical" severity rating, even though its CVSS base score sits in the "High" range, because successful exploits can lead to full system compromise.  The networking giant said it is "aware of attempted exploitation of this vulnerability in the wild" and has urged customers to apply fixes immediately.  Cisco hasn't said how many customers are affected, whether any data has been exfiltrated from affected environments, or who is behind these exploitation attempts. The firm did not immediately respond to The Register's questions.  The issue sits in the management interface's HTTP handling and can be triggered without logging in. "This vulnerability is due to improper validation of user-supplied input in HTTP requests," Cisco explains in its advisory. "An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device.   Given how often those interfaces are reachable over internal networks or VPNs, it's not hard to see why attackers have noticed. This fix comes just days after Cisco was forced to roll out another set of patches for a different critical remote code execution bug in its Secure Email Gateway and Secure Email and Web Manager products, CVE-2025-20393, underscoring a rough start to the year for Switchzilla's own code. CISA has added the flaw to its Known Exploited Vulnerabilities list, meaning federal agencies have a deadline to patch, and everyone else has little excuse to wait. Cisco hasn't offered a workaround, which means if you're running the affected software, you're mostly patching and hoping you get there before someone else does. For anyone still treating voice infrastructure as boring plumbing, this is another reminder that attackers very much are not.