CVE-2026-20045CRITICAL 9.8CISA KEVEPSS p89.9%

CVE-2026-20045Cisco Unified Communications Products Code Injection Vulnerability

Cisco / Unified Communications Manager

Description

Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance contain a code injection vulnerability that could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS4.31% probability of exploitation · percentile 89.9% · 2026-06-19T12:03:05Z
Published2026-01-21
Last modified2026-02-13

CISA KEV entry

Added to KEV: 2026-01-21

Underlying weaknesses· 1

CWE-94

References

  1. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b
  2. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20045

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

(incoming)1

TypeTargetConfidenceTier
KEVEntryCisco Unified Communications Products Code Injection Vulnerabilitykev-cve-2026-200450%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-20034
CVE
CVE-2026-20230
CVE
CVE-2025-20309
CVE
CVE-2025-20326
CVE
Cisco Identity Services Engine Injection Vulnerability
CVE
CVE-2026-20094
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.