CVE-2026-20045
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-21

Last updated on: 2026-02-13

Assigner: Cisco Systems, Inc.

Description
A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device.  This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.  Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-02-13
Generated
2026-06-16
AI Q&A
2026-01-21
EPSS Evaluated
2026-06-14
NVD
CVE-2026-20045
EUVD
EUVD-2026-3600
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
cisco unified_communications_manager From 12.5 (inc) to 14su5 (exc)
cisco unified_communications_manager From 12.5 (inc) to 14su5 (exc)
cisco unified_communications_manager From 15.0 (inc) to 15su3a (inc)
cisco unified_communications_manager From 15.0 (inc) to 15su3a (inc)
cisco unified_communications_manager_im_and_presence_service From 12.5 (inc) to 14su5 (exc)
cisco unified_communications_manager_im_and_presence_service From 15.0 (inc) to 15su3a (inc)
cisco unity_connection From 12.5 (inc) to 14su5 (exc)
cisco unity_connection From 15.0 (inc) to 15su3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a critical remote code execution flaw in multiple Cisco Unified Communications products. It occurs due to improper validation of user-supplied input in HTTP requests to the web-based management interface. An unauthenticated remote attacker can exploit this by sending specially crafted HTTP requests, allowing them to execute arbitrary commands on the underlying operating system. Initially, the attacker gains user-level OS access and can then escalate privileges to root. [1]

Impact Analysis

Exploitation of this vulnerability can allow an unauthenticated remote attacker to execute arbitrary commands on the affected device's operating system, potentially gaining root-level access. This can lead to full control over the device, unauthorized access to sensitive information, disruption of services, and compromise of the network infrastructure relying on these Cisco products. [1]

Mitigation Strategies

Cisco strongly recommends upgrading to fixed software releases to remediate this vulnerability. There are no workarounds or mitigations available. Immediate steps include migrating affected products to the fixed releases corresponding to your version, such as upgrading to 14SU5 or applying the appropriate patch files for versions 14 and 15, or migrating from version 12.5 to a fixed release. For assistance, contact Cisco Technical Assistance Center (TAC) with product serial numbers and advisory URLs as proof of entitlement to free upgrades. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20045. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart