Cisco released urgent patches for a critical zero-day vulnerability (CVE-2026-20045) in multiple Unified Communications products and Webex Calling Dedicated Instance that allows unauthenticated remote attackers to execute arbitrary OS commands and escalate to root. There are no workarounds, the flaw is being actively exploited in the wild and CISA added it to its KEV catalog with a remediation deadline of February 11, 2026; affected customers should upgrade to the specified fixed releases or apply the provided .cop.sha512 patch files immediately. #CVE-2026-20045 #WebexCalling
Keypoints
- CVE-2026-20045 (CVSS 8.2) allows unauthenticated remote command execution and privilege escalation to root via crafted HTTP requests.
- The flaw impacts Cisco Unified CM, Unified CM SME, Unified CM IM&P, Unity Connection, and Webex Calling Dedicated Instance.
- Fixed releases and patch files are available for Release 12.5, 14 (14SU5 or .cop.sha512 patches), and 15 (15SU4 or .cop.sha512 patches); customers must migrate or apply patches.
- Cisco reported active exploitation in the wild and credited an anonymous external researcher for reporting the vulnerability.
- CISA added the vulnerability to its Known Exploited Vulnerabilities catalog, requiring federal agencies to remediate by February 11, 2026; this follows a recent fix for CVE-2025-20393 in AsyncOS.
Read More: https://thehackernews.com/2026/01/cisco-fixes-actively-exploited-zero-day.html