Cisco Unified CM Cmd Exec via HTTP :: Critical Remote Exploit
CVE-2026-20045 Published on January 21, 2026
Cisco Unified Communications Products Remote Code Execution Vulnerability
A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device.
This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.
Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root.
Known Exploited Vulnerability
This Cisco Unified Communications Products Code Injection Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance contain a code injection vulnerability that could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.
The following remediation steps are recommended / required by February 11, 2026: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Vulnerability Analysis
CVE-2026-20045 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. This vulnerability is known to be actively exploited by threat actors in an automatable fashion. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
What is a Code Injection Vulnerability?
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CVE-2026-20045 has been classified to as a Code Injection vulnerability or weakness.
Products Associated with CVE-2026-20045
Want to know whenever a new CVE is published for Cisco products? stack.watch will email you.
Affected Versions
Cisco Unified Communications Manager:- Version 12.5(1)SU2 is affected.
- Version 12.5(1)SU1 is affected.
- Version 12.5(1) is affected.
- Version 12.5(1)SU3 is affected.
- Version 12.5(1)SU4 is affected.
- Version 14 is affected.
- Version 12.5(1)SU5 is affected.
- Version 14SU1 is affected.
- Version 12.5(1)SU6 is affected.
- Version 14SU2 is affected.
- Version 12.5(1)SU7 is affected.
- Version 12.5(1)SU7a is affected.
- Version 14SU3 is affected.
- Version 12.5(1)SU8 is affected.
- Version 12.5(1)SU8a is affected.
- Version 15 is affected.
- Version 15SU1 is affected.
- Version 14SU4 is affected.
- Version 14SU4a is affected.
- Version 15SU1a is affected.
- Version 12.5(1)SU9 is affected.
- Version 15SU2 is affected.
- Version 15.0.1.13010-1 is affected.
- Version 15.0.1.13011-1 is affected.
- Version 15.0.1.13012-1 is affected.
- Version 15.0.1.13013-1 is affected.
- Version 15.0.1.13014-1 is affected.
- Version 15.0.1.13015-1 is affected.
- Version 15.0.1.13016-1 is affected.
- Version 15.0.1.13017-1 is affected.
- Version 15SU3a is affected.
- Version 12.5(1) is affected.
- Version 12.5(1)SU1 is affected.
- Version 12.5(1)SU2 is affected.
- Version 12.5(1)SU3 is affected.
- Version 12.5(1)SU4 is affected.
- Version 14 is affected.
- Version 12.5(1)SU5 is affected.
- Version 14SU1 is affected.
- Version 12.5(1)SU6 is affected.
- Version 14SU2 is affected.
- Version 14SU2a is affected.
- Version 12.5(1)SU7 is affected.
- Version 14SU3 is affected.
- Version 12.5(1)SU8 is affected.
- Version 15 is affected.
- Version 15SU1 is affected.
- Version 14SU4 is affected.
- Version 12.5(1)SU9 is affected.
- Version 15SU2 is affected.
- Version 15SU3 is affected.
- Version 12.5(1) is affected.
- Version 12.5(1)SU1 is affected.
- Version 12.5(1)SU2 is affected.
- Version 12.5(1)SU3 is affected.
- Version 12.5(1)SU4 is affected.
- Version 14 is affected.
- Version 12.5(1)SU5 is affected.
- Version 14SU1 is affected.
- Version 12.5(1)SU6 is affected.
- Version 14SU2 is affected.
- Version 12.5(1)SU7 is affected.
- Version 14SU3 is affected.
- Version 12.5(1)SU8 is affected.
- Version 14SU3a is affected.
- Version 12.5(1)SU8a is affected.
- Version 15 is affected.
- Version 15SU1 is affected.
- Version 14SU4 is affected.
- Version 12.5(1)SU9 is affected.
- Version 15SU2 is affected.
- Version 15SU3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.