Latest Cisco Unified Communications Manager vulnerability: CVE-2026-20045 #
Cisco has reported a vulnerability in their Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, Cisco Unity Connection, and Cisco Dedicated Webex Calling Dedicated Instance products. These are products used to manage telecommunications, voice, video, and telepresence across various devices.
These products contain a vulnerability that would allow a remote, unauthenticated attacker to execute arbitrary commands on the underlying operating system of the device. This could be used to gain complete control over the vulnerable system.
This vulnerability has been assigned CVE-2026-20045 and has a CVSS score of 8.2 (high). Note that while the CVSS score indicates a high ranking, the vendor advisory indicates that this is a critical vulnerability.
The following versions are affected
- Versions 12.5, 14.x, and 15.x of the above products are confirmed vulnerable. Older versions may still be vulnerable.
What are these products? #
These products are used to manage telecommunications, voice, video, and telepresence across various devices.
What is the impact? #
Successful exploitation of this vulnerability would allow an adversary to execute arbitrary commands on a vulnerable host.
Are updates or workarounds available? #
No workarounds are available but Cisco has released patches for vulnerable systems. For users of versions 12.5 or earlier, users are advised they must upgrade to a fixed version. For newer versions, apply the appropriate patches as indicated in the vendor's security advisory.
How to find potentially vulnerable systems with runZero #
From the Software inventory, use the following query to locate potentially vulnerable assets:
vendor:=Cisco AND product:="Unified Communications Manager"
