Cisco Unified Communications 0-Day Actively Exploited for Remote Root Access

Cisco has issued a critical security advisory warning of an actively exploited zero-day vulnerability affecting multiple Unified Communications products.

The flaw, tracked as CVE-2026-20045, allows unauthenticated attackers to execute arbitrary commands and gain root-level access to vulnerable systems.

Vulnerability Details

The remote code execution (RCE) vulnerability resides in the HTTP request validation mechanism of Cisco’s web-based management interfaces.

An attacker can exploit this weakness by sending carefully crafted HTTP requests to trigger arbitrary command execution on the underlying operating system.

Once initial access is obtained, the attacker can escalate privileges to the root level, thereby gaining complete system control.

Cisco assigned a CVSS base score of 8.2 and classified the vulnerability as Critical under its Security Impact Rating system due to root access escalation potential.

The flaw stems from improper input validation and is categorized under CWE-94 (Code Injection).

Affected Products

Five enterprise communication platforms are vulnerable to exploitation:

• Cisco Unified Communications Manager (Unified CM)
• Cisco Unified Communications Manager Session Management Edition (Unified CM SME)
• Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P)
• Cisco Unity Connection
• Cisco Webex Calling Dedicated Instance

The vulnerability affects multiple software releases across these products, with version 12.5 showing no available patches.

Organizations running these systems remain at significant risk until remediation measures are implemented.

Cisco PSIRT has confirmed active exploitation attempts in the wild. This disclosure elevates urgency for enterprise security teams, as threat actors are actively leveraging the vulnerability against production systems.

No public exploit code is required; attackers can craft malicious HTTP sequences without authentication.

Cisco offers two mitigation paths for affected organizations. Recommended fixed software releases include Unified CM version 14SU5 and version 15SU4 (scheduled for March 2026).

For systems requiring immediate patching, Cisco provides version-specific patch files:

• Unified CM 14SU4a patch: ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512
• Unified CM 15SU2/15SU3a patches are available for download from Cisco’s software portal

Unity Connection customers can apply CSCwr29208 patches targeting their respective software versions. Organizations running version 12.5 have no patch option and must migrate to supported releases entirely.

Notably, Cisco has stated that no workarounds exist to address this vulnerability, making immediate patching the only viable remediation strategy.

This vulnerability poses a severe risk to the enterprise communications infrastructure. Attackers gaining root access can intercept communications, modify call routing, deploy persistent backdoors, and compromise connected systems.

For organizations relying on Unified Communications for business continuity, this represents a critical threat requiring urgent attention.

Security teams should immediately inventory Unified Communications deployments and prioritize patching affected versions.

Organizations unable to patch immediately should consider network segmentation to restrict access to management interfaces and implement enhanced monitoring for suspicious HTTP requests targeting these systems.

Cisco’s CSAF documentation provides additional technical details and is available for integration with automated vulnerability management systems.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Cisco Unified Communications 0-Day Actively Exploited for Remote Root Access appeared first on Cyber Security News.