vulnerability
Cisco UCM: CVE-2026-20045: Cisco Unified Communications Products Remote Code Execution Vulnerability
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:L/AC:L/Au:S/C:C/I:C/A:C) | Jan 21, 2026 | Jan 21, 2026 | Jan 21, 2026 |
Description
A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager
Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM and Presence Service
(Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance could allow an
unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an
affected device.
This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could
exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management
interface of an affected device. A successful exploit could allow the attacker to obtain user-level access
to the underlying operating system and then elevate privileges to root
Solution
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.