Overview
- The vulnerability, tracked as CVE-2026-20045, stems from improper validation of HTTP input and allows code execution that can escalate from user-level access to root.
- Affected platforms include Unified Communications Manager and SME, IM & Presence, Unity Connection, and Webex Calling Dedicated Instance.
- Cisco PSIRT confirmed in-the-wild exploitation attempts and urged immediate upgrades to fixed releases or application of provided patch files.
- There are no workarounds, and remediation is version-specific with guidance in Cisco’s README files, including patch options for 14.x and interim patches for 15.x ahead of 15SU4 in March 2026.
- Although the CVSS score is 8.2, Cisco designated the issue Critical due to the potential for privilege escalation, and the bug was reported by an unnamed external researcher.