Cisco Unified Communications has disclosed and released patches for CVE-2026-20045, a remote vulnerability that allows an unauthenticated attacker to send crafted HTTP requests to a web-based management interface and ultimately elevate privileges to root, according to the National Vulnerability Database (NVD) entry sourced from Cisco’s CNA submission.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has listed CVE-2026-20045 in its Known Exploited Vulnerabilities (KEV) catalog, with a federal remediation due date of February 11, 2026. Typically, CISA only adds vulnerabilities when it has evidence of exploitation in the wild.
In a statement to TechInformed, a Cisco spokesperson said: “On January 21, Cisco published a security advisory disclosing a vulnerability in several products, including in Cisco Unified Communications Manager.”
It added that “Cisco PSIRT is aware of attempted exploitation of this vulnerability in the wild, and we strongly urge customers to upgrade to available fixed software releases that address this vulnerability,” and advised customers to refer to the security advisory for additional guidance.
The enterprise footprint is large by design
Cisco positions Unified Communications Manager (UCM) as “trusted by over 30 million users around the world,” underscoring why defenders are treating this as more than a routine patch cycle.
The NVD record lists the affected products as Cisco Unified Communications Manager (Unified CM), Unified CM Session Management Edition (SME), Unified CM IM & Presence Service (IM&P), Cisco Unity Connection and Cisco Webex Calling Dedicated Instance.
What the vulnerability enables
NVD describes the issue as stemming from “improper validation of user-supplied input in HTTP requests.” Exploitation involves “a sequence of crafted HTTP requests” to the web-based management interface. A successful exploit can provide user-level operating system access and then escalate to root.
Signs of scanning, but limited public detail on intrusions
Multiple security firms say the early activity looks consistent with broad targeting. SOCRadar reported indicators it interpreted as mass scanning for exposed management interfaces and attempts to use unauthenticated HTTP access to gain an initial foothold, while noting attribution remains unclear.
Arctic Wolf, in a separate bulletin, said it had not identified a publicly available proof-of-concept exploit but expects continued targeting because of the impact of root-level control.
The practical problem for enterprises is that unified communications platforms are operationally “always on.” They support voice, conferencing, and telepresence services, and they often have admin surfaces that can end up reachable from untrusted networks if exposure controls drift over time.
Recent Cisco cyber activity
In December 2025, Cisco Talos published a threat advisory on UAT-9686 targeting Cisco secure email products, describing tooling used for persistence and operational stealth.
In parallel, public government alerts in September 2025 described exploitation of Cisco ASA/FTD vulnerabilities in a campaign attributed to ArcaneDoor, including an NHS cyber alert that states the attacker “attributed to ArcaneDoor” exploited listed CVEs.
What enterprises should do now
The NVD record for CVE-2026-20045 (based on Cisco’s CNA description) says exploitation involves crafted HTTP requests to the web-based management interface, and that successful exploitation can result in privilege escalation to root. This may make externally reachable management interfaces the highest-risk starting point for triage.
CISA’s KEV catalog states that for listed vulnerabilities, organizations should “apply mitigations per vendor instructions” (or discontinue use if mitigations aren’t available).
Separately from this CVE, CISA’s Binding Operational Directive BOD 23-02 focuses specifically on “mitigating the risk from internet-exposed management interfaces,” reflecting CISA’s position that exposed management planes are a recurring, high-impact intrusion path.
For communications infrastructure, CISA’s hardening guidance also advises limiting management traffic exposure to the internet and allowing management only through a “limited and enforced network path.”