Main Vulnerability Database SB2026012157

SB2026012157 - Unauthenticated remote code execution in Cisco Unified Communications products

Published: January 21, 2026 Updated: February 6, 2026

Security Bulletin ID SB2026012157

Severity

Critical

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Code Injection (CVE-ID: CVE-2026-20045)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation when handling HTTP requests. A remote attacker can send a specially crafted HTTP request and execute arbitrary code on the target system.

Note, the vulnerability is being actively exploited in the wild.

Remediation

Install update from vendor's website.

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwr21851
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwr29208
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwr29216