{"id":10052,"date":"2026-01-22T10:04:29","date_gmt":"2026-01-22T10:04:29","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/01\/22\/cisco-unified-communications-0-day-rce-vulnerability-exploited-in-the-wild-to-gain-root-access\/"},"modified":"2026-01-22T10:04:29","modified_gmt":"2026-01-22T10:04:29","slug":"cisco-unified-communications-0-day-rce-vulnerability-exploited-in-the-wild-to-gain-root-access","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/01\/22\/cisco-unified-communications-0-day-rce-vulnerability-exploited-in-the-wild-to-gain-root-access\/","title":{"rendered":"Cisco Unified Communications 0-day RCE Vulnerability Exploited in the Wild to Gain Root Access"},"content":{"rendered":"<p>    Cisco Unified Communications 0-day RCE Vulnerability Exploited in the Wild to Gain Root Access<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Cisco has disclosed a critical zero-day remote code execution (RCE) vulnerability, CVE-2026-20045, actively exploited in the wild.<\/p>\n<p>Affecting key Unified Communications products, this flaw allows unauthenticated attackers to run arbitrary commands on the underlying OS, potentially gaining root access.<\/p>\n<p>The Cisco Product Security Incident Response Team (PSIRT) confirmed exploitation attempts and urged immediate patching.<\/p>\n<p>The issue stems from improper validation of user-supplied input in HTTP requests to the web-based management interface. An attacker sends crafted HTTP requests that bypass <a href=\"https:\/\/cybersecuritynews.com\/authentication\/\" target=\"_blank\" rel=\"noreferrer noopener\">authentication<\/a>, execute commands at the user level, and then escalate privileges to root. Cisco rated it Critical via Security Impact Rating (SIR), overriding the CVSS score due to root-level risks.<\/p>\n<p>No workarounds exist. Exploitation requires network access to the management interface, common in enterprise VoIP setups exposed via firewalls or VPNs.<\/p>\n<h2 class=\"wp-block-heading\" id=\"affected-products\"><strong>Affected Products<\/strong><\/h2>\n<p>This vulnerability impacts these Cisco products regardless of configuration:<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>Product<\/th>\n<th>Bug ID<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Unified CM<\/td>\n<td>CSCwr21851<\/td>\n<\/tr>\n<tr>\n<td>Unified CM SME<\/td>\n<td>CSCwr21851<\/td>\n<\/tr>\n<tr>\n<td>Unified CM IM&amp;P<\/td>\n<td>CSCwr29216<\/td>\n<\/tr>\n<tr>\n<td>Unity Connection<\/td>\n<td>CSCwr29208<\/td>\n<\/tr>\n<tr>\n<td>Webex Calling Dedicated Instance<\/td>\n<td>CSCwr21851<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>Products like Contact Center SIP Proxy, Unified CCE, and others are confirmed unaffected. Check the <a href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-voice-rce-mORhqY4b\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">advisory<\/a> for full details.<\/p>\n<h2 class=\"wp-block-heading\" id=\"fixed-releases-and-patches\"><strong>Fixed Releases and Patches<\/strong><\/h2>\n<p>Cisco released <a href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-voice-rce-mORhqY4b\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">updates and patches<\/a>. Migrate or apply version-specific fixes; consult patch READMEs.<\/p>\n<h3 class=\"wp-block-heading\"><strong>Unified CM, IM&amp;P, SME, Webex Calling<\/strong><\/h3>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>Release<\/th>\n<th>First Fixed Release<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>12.5<\/td>\n<td>Migrate to fixed release<\/td>\n<\/tr>\n<tr>\n<td>14<\/td>\n<td>14SU5 or <a href=\"https:\/\/software.cisco.com\/download\/home\/286328117\/type\/286319236\/release\/14SU4a\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">14SU4a patch<\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>15<\/td>\n<td>15SU4 (Mar 2026) or <a href=\"https:\/\/software.cisco.com\/download\/home\/286331940\/type\/286319236\/release\/15SU2\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">15SU2\/3 patches<\/a>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h3 class=\"wp-block-heading\"><strong>Unity Connection<\/strong><\/h3>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>Release<\/th>\n<th>First Fixed Release<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>12.5<\/td>\n<td>Migrate to fixed release<\/td>\n<\/tr>\n<tr>\n<td>14<\/td>\n<td>14SU5 or <a href=\"https:\/\/software.cisco.com\/download\/home\/286328409\/type\/286319533\/release\/14SU4\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">14SU4 patch<\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>15<\/td>\n<td>15SU4 (Mar 2026) or <a href=\"https:\/\/software.cisco.com\/download\/home\/286331949\/type\/286319533\/release\/15SU3\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">15SU3 patch<\/a>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>PSIRT validates only listed releases.<\/p>\n<h2 class=\"wp-block-heading\" id=\"exploitation-in-the-wild\"><strong>Exploitation in the Wild<\/strong><\/h2>\n<p>Cisco PSIRT detected real-world exploits targeting unpatched systems. Attackers likely leverage automated scanners for exposed interfaces. Enterprises running vulnerable VoIP\/UC deployments face high risk, especially in hybrid work environments.<\/p>\n<p>Apply patches immediately. Restrict management interface to trusted IPs via firewalls. Monitor logs for anomalous HTTP requests. CISA  <a href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">added<\/a> this to the Known Exploited Vulnerabilities soon.<\/p>\n<p>An external researcher reported the flaw; Cisco credited them in the advisory. Stay vigilant: zero-day vulnerabilities like CVE-2026-20045 underscore UC platform risks amid rising RCE trends.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/cisco-unified-cm-rce\/\">Cisco Unified Communications 0-day RCE Vulnerability Exploited in the Wild to Gain Root Access<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/cisco-unified-cm-rce\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cisco Unified Communications 0-day RCE Vulnerability Exploited in the Wild to Gain Root Access Cisco has disclosed a critical zero-day remote code execution (RCE) vulnerability, CVE-2026-20045, actively exploited in the wild. Affecting key Unified Communications products, this flaw allows unauthenticated attackers to run arbitrary commands on the underlying OS, potentially gaining root access. The Cisco [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-10052","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10052"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10052"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10052\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10052"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10052"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10052"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}