⚠ Actively exploited

Added to CISA KEV on 2026-01-21. Federal agencies required to patch by 2026-02-11. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2026-20045 — Code Injection in Cisco Unified Communications Manager

CWE-94 — Code Injection7 documents7 sources

Severity

9.8CRITICALNVD

CNA8.2VulnCheck8.2

EPSS

1.3%

top 19.96%

CISA KEV

KEV

Added 2026-01-21

Due 2026-02-11

Exploit

No known exploits

Affected products

Cisco Unified Communications Manager Cisco Unified Communications Manager IM AND Presence Service Cisco Unity Connection +3 more

Timeline

PublishedJan 21

KEV addedJan 21

Latest updateJan 22

KEV dueFeb 11

CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. This vulnerability is due to improper validation of user-supplied …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages6 packages

▶NVDcisco/unified_communications_manager_im_and_presence_service12.5 — 14su5+1

▶CVEListV5cisco/cisco_unified_communications_manager_im_and_presence_service20 versions+19

▶NVDcisco/unified_communications_manager12.5 — 14su5+1

▶CVEListV5cisco/cisco_unified_communications_manager31 versions+30

▶NVDcisco/unity_connection12.5 — 14su5+1

🔴Vulnerability Details

CVEList

Cisco Unified Communications Products Remote Code Execution Vulnerability↗2026-01-21

▶

GHSA

GHSA-h4w3-hxw6-99q7: A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME)↗2026-01-21

▶

VulnCheck

Cisco Unified Communications Products Code Injection Vulnerability↗2026

▶

📋Vendor Advisories

Cisco

Cisco Unified Communications Products Remote Code Execution Vulnerability↗2026-01-22

▶

CISA

Cisco Unified Communications Products Code Injection Vulnerability↗2026-01-21

▶

🕵️Threat Intelligence

Bleepingcomputer

Cisco fixes Unified Communications RCE zero day exploited in attacks↗2026-01-21

▶