Cisco Unified Communications 0-day RCE Vulnerability Exploited in the Wild to Gain Root Access

[Divergent]

Content source

https://cybersecuritynews.com/cisco-unified-cm-rce/

Cisco has disclosed a critical zero-day remote code execution (RCE) vulnerability, CVE-2026-20045, actively exploited in the wild.

Affecting key Unified Communications products, this flaw allows unauthenticated attackers to run arbitrary commands on the underlying OS, potentially gaining root access.

The Cisco Product Security Incident Response Team (PSIRT) confirmed exploitation attempts and urged immediate patching.

The issue stems from improper validation of user-supplied input in HTTP requests to the web-based management interface. An attacker sends crafted HTTP requests that bypass authentication, execute commands at the user level, and then escalate privileges to root. Cisco rated it Critical via Security Impact Rating (SIR), overriding the CVSS score due to root-level risks.

Cisco Unified Communications 0-day RCE Vulnerability Exploited in the Wild to Gain Root Access

Cisco has disclosed a critical zero-day remote code execution (RCE) vulnerability, CVE-2026-20045, actively exploited in the wild.

cybersecuritynews.com

 

[Divergent]

Technical Analysis
The vulnerability resides in the web-based management interface of the affected products.

Root Cause
The flaw is caused by "improper validation of user-supplied input in HTTP requests".

Attack Vector
An attacker can exploit this by sending crafted HTTP requests to the vulnerable device's management interface.

Privilege Escalation
Successful exploitation bypasses authentication and executes commands initially at the user level, which can subsequently be escalated to gain root access.

Exploitation Status
Active exploitation has been detected. Attackers are likely using automated scanners to identify exposed interfaces.

Affected Products

Unified CM (Bug ID: CSCwr21851)

Unified CM SME (Bug ID: CSCwr21851)

Unified CM IM&P (Bug ID: CSCwr29216)

Unity Connection (Bug ID: CSCwr29208)

Webex Calling Dedicated Instance (Bug ID: CSCwr21851)

Confirmed Unaffected
Contact Center SIP Proxy, Unified CCE.

Recommendation / Remediation

Critical Action
Apply the relevant patches immediately. There are no configuration workarounds available for this vulnerability.

Patch Management

Unified CM / IM&P / SME / Webex Calling

Release 12.5
Migrate to a fixed release.

Release 14
Upgrade to 14SU5 or apply the 14SU4a patch.

Release 15
Upgrade to 15SU4 (Expected Mar 2026) or apply 15SU2/3 patches.

Unity Connection

Release 12.5
Migrate to a fixed release.

Release 14
Upgrade to 14SU5 or apply the 14SU4 patch.

Release 15
Upgrade to 15SU4 (Expected Mar 2026) or apply the 15SU3 patch.

Network Segmentation (Compensating Control)
While not a fix for the vulnerability itself, you must restrict access to the management interface to trusted IPs only via firewalls or ACLs.

Ensure these interfaces are never exposed directly to the public internet.

Detection
Monitor web server logs for anomalous HTTP requests targeting the management interface.

Review system logs for unexpected command execution or user privilege changes.

References

Cisco Advisory
cisco-sa-voice-rce-mORhqY4b

CISA KEV
Pending addition to the Known Exploited Vulnerabilities catalog.