CISA Warns: Cisco Unified CM 0- Vulnerability Exploited

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert. This comes after the agency confirmed active exploitation of a zero-day remote code execution (RCE) vulnerability in multiple Cisco Unified Communications products.

Tracked as CVE-2026-20045, the flaw enables code injection attacks that grant attackers user-level access to the underlying OS, followed by full root privilege escalation.

Added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on January 21, 2026, federal agencies must apply mitigations by February 11, 2026, or discontinue use of affected products.

This critical issue stems from improper input validation in Cisco’s communication platforms, aligning with CWE-94: Improper Control of Generation of Code. Attackers can inject malicious code via crafted network requests, bypassing authentication in some scenarios.

Attackers exploiting this flaw can execute arbitrary code within the context of the vulnerable service. CISA confirmed active exploitation in the wild, prompting the urgent addition to the KEV catalog on January 21, 2026.

Organizations managing these communications systems face immediate risk of compromise.

Cisco has published an advisory confirming the vulnerability affects on-premises deployments, with no workaround available beyond patching.

Affected Products and Attack Vectors

The vulnerability impacts:

• Cisco Unified Communications Manager (Unified CM)
• Cisco Unified Communications Manager Session Management Edition (Unified CM SME)
• Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P)
• Cisco Unity Connection
• Cisco Webex Calling Dedicated Instance

Enterprise voice and collaboration environments face high risk, as these products often expose management interfaces to the internet.

Attackers exploit the flaw remotely without authentication by sending malformed packets to exposed services like CTI Manager or AXLE services.

Once injected, code executes in the context of the web server process, allowing persistence via cron jobs or backdoors before root escalation through known local priv-esc paths.

Early indicators suggest threat actors are chaining this with phishing or supply-chain compromises to target call centers and UCaaS providers.

Cisco urges immediate upgrades to patched versions:

1. Unified CM: Release 14SU2.7 or later
2. Unity Connection: 14SU2.7 or later
3. IM&P: 14SU3 or later

CISA emphasizes zero-trust principles: assume breach and hunt for IOCs, such as unexpected root processes or injected web shells.

This zero-day underscores persistent risks in legacy UC infrastructure, where delayed patching leaves orgs vulnerable to ransomware or espionage.

No public PoCs exist yet, but underground forums report exploits for sale. Security teams should cross-reference CISA KEV and Cisco PSIRT for updates.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.