CVE-2026-20045
📋 TL;DR
This critical vulnerability allows unauthenticated remote attackers to execute arbitrary commands on affected Cisco Unified Communications systems by sending crafted HTTP requests to the web management interface. Successful exploitation could lead to full system compromise with root access. All organizations using vulnerable versions of Cisco Unified CM, Unity Connection, Webex Calling Dedicated Instance, and related products are affected.
💻 Affected Systems
- Cisco Unified Communications Manager
- Cisco Unified Communications Manager Session Management Edition
- Cisco Unified Communications Manager IM & Presence Service
- Cisco Unity Connection
- Cisco Webex Calling Dedicated Instance
📦 What is this software?
Unified Communications Manager Im And Presence Service by Cisco
View all CVEs affecting Unified Communications Manager Im And Presence Service →
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with root privileges, allowing data theft, lateral movement, persistence, and disruption of voice communications services.
Likely Case
Remote code execution leading to credential harvesting, data exfiltration, and deployment of ransomware or other malware.
If Mitigated
Limited impact if systems are patched, network segmentation is in place, and web interfaces are not internet-facing.
🎯 Exploit Status
Unauthenticated exploitation with low complexity makes this highly attractive to attackers. CISA has added this to their Known Exploited Vulnerabilities catalog.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Multiple fixed versions available - refer to Cisco advisory for specific version mappings
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b
Restart Required: Yes
Instructions:
1. Review Cisco advisory for specific fixed versions for your products. 2. Download and apply appropriate patches from Cisco Software Center. 3. Restart affected services or systems as required. 4. Verify patch application and monitor for issues.
🔧 Temporary Workarounds
Restrict Web Interface Access
linuxLimit access to the web management interface using network access controls
# Configure firewall rules to restrict access to web interface ports
# Example: iptables -A INPUT -p tcp --dport 443 -s trusted_networks -j ACCEPT
# iptables -A INPUT -p tcp --dport 443 -j DROP
Disable Unnecessary Web Services
linuxDisable web management interface if not required for operations
# Check Cisco documentation for service disable procedures
# Typically involves stopping web services via CLI
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems from untrusted networks
- Deploy web application firewall (WAF) with rules to block malicious HTTP request patterns
🔍 How to Verify
Check if Vulnerable:
Check current software version against affected versions listed in Cisco advisory. Use CLI command: show version activeCheck Version:
show version activeVerify Fix Applied:
Verify installed version matches fixed versions in Cisco advisory. Check patch status via CLI: utils system upgrade status📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests to web management interface
- Multiple failed authentication attempts followed by successful access
- Suspicious command execution in system logs
Network Indicators:
- Unusual outbound connections from voice systems
- HTTP requests with unusual parameters or patterns to management ports
SIEM Query:
source="cisco-voice" AND (http_request CONTAINS "malicious_pattern" OR http_status=200 AND user_agent="unusual")