Cisco Addresses Critical Zero-Day Vulnerability in Unified Communications and Webex Calling
Cisco has issued critical security updates to address a zero-day vulnerability in its Unified Communications and Webex Calling systems, which has been actively exploited in recent attacks. The vulnerability, tracked as CVE-2026-20045, poses a significant risk to Cisco's Unified Communications Manager (Unified CM), Unified CM Session Management Edition (SME), Unified CM IM & Presence, Cisco Unity Connection, and Webex Calling Dedicated Instance.
The flaw stems from improper validation of user-supplied input in HTTP requests, enabling attackers to exploit the system by sending crafted HTTP requests to the web-based management interface. A successful exploit could grant the attacker user-level access to the underlying operating system and subsequently elevate privileges to root level.
Despite a CVSS score of 8.2, Cisco has assigned the vulnerability a Critical severity rating due to the potential for root access on servers. The company has released software updates and patch files to address the issue, urging customers to upgrade to the latest software as soon as possible.
Cisco's Product Security Incident Response Team (PSIRT) has confirmed the presence of active exploitation attempts, emphasizing the urgency of the situation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, setting a deadline of February 11, 2026, for federal agencies to deploy the necessary updates.
This incident highlights the ongoing challenge of staying ahead of emerging threats. Cisco has also recently patched other vulnerabilities, including an Identity Services Engine (ISE) flaw and a AsyncOS zero-day, demonstrating the importance of proactive security measures and regular software updates.
