CVE-2026-20045

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-20045
A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device.  This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root.

8.2 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20045 US Government Resource
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:-:*:*:*
cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:session_management:*:*:*
cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:-:*:*:*
cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:session_management:*:*:*
cpe:2.3:a:cisco:unified_communications_manager_im_and_presence_service:*:*:*:*:*:*:*:*
cpe:2.3:a:cisco:unified_communications_manager_im_and_presence_service:*:*:*:*:*:*:*:*
cpe:2.3:a:cisco:unity_connection:*:*:*:*:*:*:*:*
cpe:2.3:a:cisco:unity_connection:*:*:*:*:*:*:*:*
History

22 Jan 2026, 14:28

Type Values Removed Values Added
CPE cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:-:*:*:*
cpe:2.3:a:cisco:unity_connection:*:*:*:*:*:*:*:*
cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:session_management:*:*:*
cpe:2.3:a:cisco:unified_communications_manager_im_and_presence_service:*:*:*:*:*:*:*:*
First Time Cisco unified Communications Manager
Cisco
Cisco unified Communications Manager Im And Presence Service
Cisco unity Connection
References () https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b - () https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b - Vendor Advisory
References () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20045 - () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20045 - US Government Resource

22 Jan 2026, 12:55

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad en Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM y Presence Service (Unified CM IM&P), Cisco Unity Connection y Cisco Webex Calling Dedicated Instance podría permitir a un atacante remoto no autenticado ejecutar comandos arbitrarios en el sistema operativo subyacente de un dispositivo afectado. Esta vulnerabilidad se debe a una validación incorrecta de la entrada proporcionada por el usuario en las solicitudes HTTP. Un atacante podría explotar esta vulnerabilidad enviando una secuencia de solicitudes HTTP manipuladas a la interfaz de gestión basada en web de un dispositivo afectado. Un exploit exitoso podría permitir al atacante obtener acceso a nivel de usuario al sistema operativo subyacente y luego elevar privilegios a root. Nota: Cisco ha asignado a este aviso de seguridad una Calificación de Impacto de Seguridad (SIR) de Crítico en lugar de Alto como indica la puntuación. La razón es que la explotación de esta vulnerabilidad podría resultar en que un atacante eleve privilegios a root.

21 Jan 2026, 21:16

Type Values Removed Values Added
References
  • () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20045 -

21 Jan 2026, 17:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-01-21 17:16

Updated : 2026-01-22 14:28

NVD link : CVE-2026-20045

Mitre link : CVE-2026-20045

CVE.ORG link : CVE-2026-20045

JSON object : View

Products Affected

cisco

  • unity_connection
  • unified_communications_manager_im_and_presence_service
  • unified_communications_manager
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')