Alerts

Cisco Unified Communications Zero-Day Exploited in the Wild for Root Access (CVE-2026-20045)

Zero Day Wire

2 min read
Cisco Unified Communications Zero-Day Exploited in the Wild for Root Access (CVE-2026-20045)

Cisco has disclosed a critical zero-day vulnerability in its Unified Communications products that is being actively exploited in the wild, allowing unauthenticated attackers to execute arbitrary commands and gain root access on affected systems.

The vulnerability, tracked as CVE-2026-20045, affects the web-based management interface of multiple Cisco UC products. Cisco's Product Security Incident Response Team (PSIRT) has confirmed active exploitation attempts and is urging immediate patching.

Technical Details

The flaw stems from improper validation of user-supplied input in HTTP requests to the management interface. Attackers can send crafted HTTP requests that bypass authentication, execute commands at the user level, and then escalate privileges to root.

Cisco rated the vulnerability as Critical via its Security Impact Rating (SIR), overriding the CVSS score due to the root-level access implications. No workarounds are available—exploitation requires only network access to the management interface, which is commonly exposed in enterprise VoIP deployments via firewalls or VPNs.

Affected Products

Products confirmed as not affected include Contact Center SIP Proxy, Unified CCE, and others listed in Cisco's advisory.

Fixed Releases

Unified CM, IM&P, SME, Webex Calling:

ReleaseFix
12.5Migrate to fixed release
1414SU5 or 14SU4a patch
1515SU4 (March 2026) or 15SU2/3 patches

Unity Connection:

ReleaseFix
12.5Migrate to fixed release
1414SU5 or 14SU4 patch
1515SU4 (March 2026) or 15SU3 patch

Exploitation Activity

Cisco PSIRT has detected real-world exploitation targeting unpatched systems. Attackers are likely leveraging automated scanners to identify exposed management interfaces. CISA is expected to add this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog imminently.

Recommendations

  • Apply patches immediately
  • Restrict management interface access to trusted IPs via firewall rules
  • Monitor logs for anomalous HTTP requests to the management interface
  • Prioritize patching for systems exposed to the internet or accessible via VPN

The vulnerability was reported by an external researcher who Cisco credited in the advisory.

Read more

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

By Zero Day Wire
ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors

By Zero Day Wire