CVE-2026-20045
Published: 21 January 2026
Description
A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance could…
more
allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root.
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of user-supplied input in HTTP requests to prevent code injection vulnerabilities like this CWE-94 flaw.
Ensures timely identification, reporting, and remediation of flaws such as this specific CVE through patching and updates.
Prevents unauthenticated remote access to the vulnerable web-based management interface by monitoring and controlling communications at system boundaries.
Security SummaryAI
CVE-2026-20045 is a code injection vulnerability (CWE-94) affecting Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance. The flaw arises from improper validation of user-supplied input in HTTP requests processed by the web-based management interface, enabling an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system. It carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).
An unauthenticated attacker with network access to the management interface can exploit the vulnerability by sending a sequence of crafted HTTP requests. Successful exploitation provides initial user-level access to the operating system, allowing subsequent privilege escalation to root privileges. Cisco assigned it a Critical Security Impact Rating due to this escalation potential, despite the CVSS score aligning with High.
The official Cisco Security Advisory details the issue and mitigation steps at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20045, confirming active exploitation in the wild.
Details
- CWE(s)
- KEV Date Added
- 21 January 2026
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote code execution via crafted HTTP requests to public-facing web management interface (T1190) enables arbitrary OS command execution on Linux-based Cisco products (T1059.004).