Keypoints
- CVE-2026-20045 is a critical RCE vulnerability with a CVSS score of 8.2 and is being actively exploited in the wild.
- The flaw affects Cisco Unified CM, Unified CM SME, IM & Presence, Unity Connection, and Webex Calling Dedicated Instance.
- An unauthenticated remote attacker can exploit improper validation of HTTP input to execute arbitrary commands on the underlying operating system.
- There are no workarounds; patches are version-specific and customers should consult the README and upgrade to fixed software releases.
- Earlier in January, Cisco also fixed CVE-2026-20029 in ISE/ISE-PIC related to improper XML parsing after a public PoC was released.