Cisco has released critical security updates to address a remote code execution (RCE) vulnerability, tracked as CVE-2026-20045, which affects various Unified Communications and Webex Calling products. The flaw arises from improper validation of user-supplied input in HTTP requests sent to the web-based management interface. If exploited, an attacker can gain user-level access to the underlying operating system and subsequently escalate privileges to root.
The vulnerability is confirmed to have been exploited as a zero-day in active attacks. In response to the ongoing threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) Catalog, requiring federal agencies to apply patches by February 11, 2026. Cisco urges all administrators to update immediately, as no workarounds are currently available to mitigate the risk.
Top comments (0)