Cisco has released security updates to address a critical remote code execution (RCE) vulnerability affecting its Unified Communications and Webex Calling platforms that has been actively exploited as a zero-day in the wild.
Tracked as CVE-2026-20045, the flaw impacts Cisco Unified Communications Manager (Unified CM), Unified CM Session Management Edition, Unified CM IM & Presence, Cisco Unity Connection, and Webex Calling Dedicated Instance. The vulnerability exists due to improper input validation when handling HTTP requests, which could allow a remote attacker execute arbirtary code on the affected system by sending a specially crafted HTTP request.
Cisco’s Product Security Incident Response Team (PSIRT) confirmed that exploitation attempts have been observed. The company noted that patches are version-specific and advised administrators to review the relevant README files before applying updates. Cisco also said there are no workarounds that can mitigate the issue without installing the fixed software releases.
In other news, attackers are reportedly exploiting a patch bypass for a previously fixed critical FortiGate authentication vulnerability (CVE-2025-59718) allowing them to compromise even patched firewalls. In a Reddit post, multiple users reported seeing malicious SSO logins on fully-patched FortiOS devices.
“We just had a malicious SSO login on one of our FortiGate's running on 7.4.9 (FGT60F). Unfortunately, our Local-In policy script didn't work when this got deployed (that's on us, not good!) and the tech didn't realize it (again, not proud to admit that) and has been reachable over the internet. We have a SIEM that caught the local admin account being created. Now, I have done a little research, and it appears this is exactly how it looked when someone came in on CVE-2025-59718. But we have been on 7.4.9 since December 30th. I confirmed this via our backup configs. In fact I got the time down to the hour, so I know for sure we have been on FortiOS 7.4.9 since the evening of Dec 30,” a user said.
Another user reported that “the Fortinet developer team has confirmed the vulnerability persists or is not fixed in v7.4.10.” and that a fix is scheduled on the upcoming 7.4.11, 7.6.6, 8.0.0. “The current workaround is to set admin-forticloud-sso-login disable under config system global,” the post notes.
Meanwhile, cybersecurity firm Arctic Wolf has warned of a new wave of automated malicious activity targeting FortiGate devices, involving unauthorized firewall configuration changes. The campaign, which began on January 15, 2026, is similar to activity observed last December that leveraged CVE-2025-59718 and CVE-2025-59719 to carry out malicious administrative logins.