Threat Advisories:
CVE-2026-20045: Critical Cisco Unified Communications Actively Exploited Evelyn Stealer’s Stealth Campaign Against Developers Malicious Chrome Extensions Hijacking Enterprise HR Platforms Geopolitics as Bait: LOTUSLITE Backdoor Targets U.S. Entities Admin Access Without Credentials Puts 40,000+ WordPress Sites at Risk Ni8mare in n8n: CVE-2026-21858 Bug Exposing 100,000 Servers to Risk VoidLink: A Cloud-Native Linux Framework Built for Stealth and Scale CVE-2025-64155: Critical FortiSIEM RCE with Public Exploits Available Microsoft’s January 2026 Patch Tuesday AsyncRAT Behind the Cloudflare Curtain Chinese APT Espionage Turns Telecom Systems Into Covert Relay Nodes MuddyWater’s Rust Implants Target the Middle East CVE-2025-37164: Critical RCE in HPE OneView Under Active Exploitation Astaroth Reimagined: Weaponizing WhatsApp for Scalable Banking Fraud GoBruteforcer Exposed: How Weak Credentials Power a Silent Linux Botnet CVE-2026-0625: A Decade-Long Risk in D-Link DSL Routers Enabling Full System Compromise PHALT#BLYX: Fake BSOD Campaign Targets Hospitality CVE-2025-13915: Authentication Bypass Puts IBM API Connect at Risk VVS Stealer Exposed: Inside a Stealthy Discord Credential Theft Operation Silent Clicks, Lasting Access: APT36’s Fileless Espionage Playbook
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

CVE-2026-20045: Critical Cisco Unified Communications Actively Exploited

Red | Vulnerability Report
Download PDF

Summary

CVE-2026-20045 is a critical remote code execution vulnerability affecting multiple Cisco Unified Communications products widely deployed for enterprise telephony and collaboration infrastructure. First observed being exploited on January 21, 2026, this Cisco Unified Communications vulnerability allows unauthenticated remote attackers to execute arbitrary operating system commands through improper input validation in the web-based management interface. The flaw impacts Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance.

Active exploitation has been confirmed in the wild, particularly targeting internet-facing deployments where attackers send specially crafted HTTP requests to gain OS-level access and potentially escalate privileges to root. The Cisco RCE vulnerability poses severe risk to large enterprises, government agencies, and regulated industries that depend on these products for voice communications, instant messaging, presence services, and voicemail infrastructure. Cisco has released security patches and fixed software versions for all affected products, though some older releases require migration to supported versions. Organizations are strongly urged to apply vendor-provided updates immediately and restrict management interface exposure to trusted networks to mitigate this critical threat.

Vulnerability Details

Critical Remote Code Execution in Cisco Unified Communications Products

CVE-2026-20045 represents a critical remote code execution vulnerability affecting the core infrastructure products in Cisco’s Unified Communications suite. These products are extensively deployed by large enterprises, government agencies, and regulated industries to manage mission-critical voice communications, instant messaging, presence services, and voicemail systems. The Cisco Unified Communications Manager vulnerability allows unauthenticated remote attackers to interact with the web-based management interface in ways that trigger arbitrary command execution on the underlying operating system.

The vulnerability achieves critical severity due to its combination of no authentication requirement, remote network attack vector, and potential for complete system compromise. Attackers can exploit the flaw by sending crafted HTTP requests to affected management interfaces, moving directly from network access to OS-level command execution without requiring any prior credentials or user interaction.

Improper Input Validation Enables Code Injection

The root cause of the Cisco vulnerability lies in improper validation of user-supplied input in HTTP requests sent to the affected products’ management interfaces. The software fails to adequately sanitize or neutralize potentially malicious input before processing it, creating a code injection vulnerability classified as CWE-94. Attackers can leverage specially crafted HTTP requests to inject and execute arbitrary code on vulnerable systems.

This input validation failure enables attackers to bypass security controls and inject operating system commands that execute with the privileges of the web application process. Because the management interface typically runs with elevated privileges to perform administrative functions, successful exploitation provides attackers with significant control over the compromised system and potential pathways to privilege escalation.

Active Exploitation Targeting Internet-Facing Deployments

Exploitation attempts have been observed in the wild since January 21, 2026, prompting urgent security alerts from Cisco. The active exploitation indicates real-world targeting of internet-facing Cisco Unified Communications deployments, where attackers identify exposed management interfaces through reconnaissance scanning and then send specially crafted HTTP requests to gain OS access and potentially escalate privileges to root level.

The confirmed exploitation activity demonstrates that threat actors have developed working exploits and are actively scanning for and compromising vulnerable systems. This poses immediate risk to organizations that have not yet applied security patches or implemented compensating controls to restrict management interface exposure. The unauthenticated nature of the vulnerability makes it particularly attractive to attackers, as successful exploitation requires no stolen credentials or social engineering.

Comprehensive Patching Required Across Product Line

Cisco has released security patches and fixed software versions for all affected Unified Communications products, including specific service releases for Cisco Unified Communications Manager, Unified Communications Manager Session Management Edition, Unified Communications Manager IM & Presence Service, Unity Connection, and Webex Calling Dedicated Instance. Organizations must upgrade to version 14SU5 or 15SU4 to remediate the vulnerability. Systems running Release 12.5 must migrate to a supported fixed release, as patches are not available for older unsupported versions.

There are no effective workarounds for this critical Cisco security flaw, making vendor-provided patches the only reliable mitigation. Given the confirmed active exploitation, timely patching combined with restricting management interface exposure to trusted networks represents the most effective defense strategy against this threat.

Recommendations

Apply Vendor Patches Immediately

Organizations should urgently apply Cisco-released security patches or upgrade to fixed software versions for all affected Unified Communications products. Systems exposed to the internet or supporting critical business functions should be prioritized. Older or unsupported versions may require full version upgrades rather than incremental patches.

Restrict Management Interface Exposure

Web-based management interfaces should not be exposed to untrusted or public networks. Access should be limited to trusted administrative networks using firewall rules, VPNs, or jump hosts. Reducing attack surface is critical until remediation is fully implemented, especially given the unauthenticated nature of this vulnerability.

Enhance Monitoring and Detection

Security teams should monitor for suspicious HTTP requests or anomalous activity targeting Cisco Unified Communications services. Logs from web interfaces and underlying operating systems should be reviewed for indicators of compromise, including unexpected command execution or privilege escalation attempts. Deploy IDS/IPS signatures capable of detecting crafted HTTP request sequences associated with this vulnerability.

Conduct Asset Inventory and Prioritization

Identify all Cisco Unified Communications deployments across the organization and verify current software versions against the vulnerable release list. Prioritize remediation based on system criticality, network exposure, and business impact. Document remediation progress to ensure complete coverage.

MITRE ATT&CK TTPs

Tactics and Techniques

Resource Development

  • T1588: Obtain Capabilities
    • T1588.006: Vulnerabilities
    • T1588.005: Exploits

Initial Access

  • T1190: Exploit Public-Facing Application

Execution

  • T1059: Command and Scripting Interpreter

Privilege Escalation

  • T1068: Exploitation for Privilege Escalation

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox