CVE-2026-20045
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
3Tags
Description
A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root.
Analysis
Cisco Unified Communications Manager and related products contain a code injection vulnerability (CVE-2026-20045) that allows unauthenticated remote attackers to execute arbitrary code. This KEV-listed vulnerability affects the core enterprise voice/video infrastructure including Unified CM, IM&P, Unity Connection, and Webex Calling Dedicated Instance, making it a high-priority threat for organizations dependent on Cisco collaboration tools.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all affected systems and apply vendor patches immediately. Validate that input sanitization is in place for all user-controlled parameters.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today