Active Exploitation of Cisco Unified Communications RCE (CVE-2026-20045)
Cisco released fixes for a critical remote code execution vulnerability in Unified Communications and Webex Calling Dedicated Instance, tracked as CVE-2026-20045, after it was actively exploited as a zero-day. The issue stems from improper validation of user-supplied input in HTTP requests to the web-based management interface; successful exploitation can provide user-level OS access and enable privilege escalation to root. Affected products include Cisco Unified Communications Manager (Unified CM), Unified CM Session Management Edition (SME), Unified CM IM & Presence, Cisco Unity Connection, and Webex Calling Dedicated Instance; Cisco provided version-specific remediations including fixed releases and .cop patch files (e.g., ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512).
CISA added CVE-2026-20045 to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation and highlighting code injection flaws as a common attack vector with significant risk to the federal enterprise. Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch agencies are required to remediate KEV-listed vulnerabilities by the specified due date, and CISA urged all organizations to similarly prioritize patching to reduce exposure to ongoing attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CISA adds CVE-2026-20045 to the KEV catalog
CISA added CVE-2026-20045 to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. The agency set a remediation deadline of 2026-02-11 for Federal Civilian Executive Branch agencies under Binding Operational Directive 22-01.
Cisco confirms in-the-wild exploitation of CVE-2026-20045
Alongside the advisory, Cisco PSIRT said it had observed exploitation attempts against CVE-2026-20045 in the wild, making the issue a zero-day at disclosure. Reports noted the company did not provide attribution or scope details for the attacks.
Cisco discloses and patches CVE-2026-20045 in Unified Communications products
Cisco released security fixes for CVE-2026-20045, a critical code injection/remote code execution flaw in multiple Unified Communications products and Webex Calling Dedicated Instance. Cisco said the bug affects the web-based management interface, has no workaround, and can allow unauthenticated attackers to gain OS access and potentially escalate to root.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
11 references tracked. Mallory keeps watching after this page renders.
Actively exploited Cisco Unified Communications zero-day resolved | SC Media
scworld.com
Open sourceCisco Unified Communications Products Remote Code Execution Vulnerability
sec.cloudapps.cisco.com
Open sourceExploited Zero-Day Flaw in Cisco UC Could Affect Millions
darkreading.com
Open sourceCisco plugs up Unified Comms zero-day under active exploit • The Register
go.theregister.com
Open sourceUnder Attack: Critical Cisco RCE (CVE-2026-20045) Exploited in the Wild
securityonline.info
Open sourceCVE-2026-20045: Cisco Unified Communications Zero-Day Under Active Attack - TheCyberThrone
thecyberthrone.in
Open sourceCisco fixes Unified Communications RCE zero day exploited in attacks
bleepingcomputer.com
Open sourceCISA Adds One Known Exploited Vulnerability to Catalog | CISA
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of Critical RCE Vulnerabilities in Enterprise Infrastructure (Cisco UC and VMware vCenter)
Reports warn of **in-the-wild exploitation** of critical remote code execution vulnerabilities affecting widely deployed enterprise infrastructure. One report describes a purported Cisco Unified Communications zero-day, **CVE-2024-20253**, impacting *Cisco Unified Communications Manager (Unified CM)*, *Cisco Unity Connection*, and *Webex Calling Dedicated Instance*, and claims it enables **unauthenticated command execution** via the web management interface, creating risk of full system compromise and rapid opportunistic scanning of internet-exposed instances. Separately, **CISA added Broadcom VMware vCenter Server CVE-2024-37079** (CVSS 9.8) to the **Known Exploited Vulnerabilities (KEV)** catalog based on evidence of exploitation; the issue is described as a **DCE/RPC heap overflow** that can lead to RCE via specially crafted network packets, and Broadcom updated its advisory to acknowledge observed exploitation. A third item (Rapid7’s Metasploit wrap-up) is not about either of these active-exploitation advisories; it covers new Metasploit modules for unrelated vulnerabilities (e.g., Oracle E-Business Suite **CVE-2025-61882** and Splunk issues), which may increase general exploitation capability but does not substantively corroborate the Cisco or VMware events.
Mar 21, 2026
Cisco Patches Critical Firewall Management RCE Vulnerabilities
Cisco released emergency fixes for two **critical (CVSS 10.0)** vulnerabilities in its firewall management software that could allow **remote, unauthenticated attackers** to execute code and gain **root-level** access to the underlying operating system. The issues are tracked as `CVE-2026-20079` and `CVE-2026-20131`, and reporting emphasized the risk profile given Cisco’s widespread deployment in large enterprises and the historical interest of sophisticated actors in rapidly weaponizing Cisco bugs. Available reporting stated there were **no confirmed in-the-wild exploitation** reports at the time of publication, but urged rapid patching due to the combination of unauthenticated reachability and full compromise potential. Separate coverage packaged the Cisco flaws alongside other weekly security items (e.g., Tycoon2FA infrastructure takedown and other incidents), but the Cisco item consistently described the same two maximum-severity firewall management vulnerabilities and their impact (RCE leading to root access).
Mar 21, 2026
Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerabilities by UAT-8616
**CISA** ordered U.S. federal civilian agencies to urgently remediate a **critical Cisco Catalyst SD-WAN Manager compromise** tied to **CVE-2026-20127**, a `CVSS 10.0` authentication bypass flaw that allows attackers to obtain high-privilege access without valid credentials. Reporting indicates the activity was uncovered by **CISA** and **Cisco Talos**, which attributed exploitation to **UAT-8616** and assessed that the intrusions date back to 2023. Attackers reportedly maintained persistence by downgrading devices to older vulnerable software and then using the access to reach `NETCONF` and manipulate SD-WAN fabric configuration, creating significant risk for federal networks and other exposed deployments. Additional research shows the campaign is not limited to a single bug. Cisco disclosed in-the-wild exploitation of **CVE-2026-20127** together with **CVE-2022-20775**, an older SD-WAN CLI flaw enabling post-auth privilege escalation and root command execution, while external analysis warned that public proof-of-concept material around `CVE-2026-20127` has been misattributed and may produce incomplete detections. Researchers also highlighted broader exposure across internet-facing SD-WAN Manager instances and warned that **CVE-2026-20133** may present underappreciated risk and could already be seeing exploitation, underscoring that defenders should treat the Cisco SD-WAN issue as an active intrusion and hardening priority rather than a routine patch cycle.
Mar 21, 2026