Rob Wright , Senior News Director , Dark Reading January 23, 2026 3 Min Read Source: HJBC via Alamy Stock Photo UPDATE A zero-day vulnerability affecting a range of Cisco's unified communications products has been exploited by threat actors, though details of the activity are unclear. Cisco on Wednesday disclosed and patched CVE-2026-20045, a remote code execution (RCE) vulnerability in Cisco's Unified Communications Manager (UCM) as well as other products. Cisco has 30 million users for UCM, which provides IP-based voice, video, conferencing, and collaboration for enterpises — so the potential impact could be vast. According to Cisco's advisory, the flaw stems from improper validation of user-supplied input in HTTP requests: "An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device," the advisory stated. "A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root ." While the vulnerability received a high-severity CVSS score of 8.2, Cisco said it assigned CVE-2026-20045 a proprietary Security Impact Rating (SIR) of critical because of the potential of attackers to achieve root privileges and gain full control over targeted systems. The zero-day vulnerability also impacts Cisco's Unified Communications Manager Session Management Edition (UCM SME), Unified Communications Manager IM & Presence Service (UCM IM&P), Unity Connection, and Webex Calling Dedicated Instance. The networking giant credited an anonymous "external researcher" with the discovery of the RCE flaw. Cisco Zero-Day Under Attack, But From Where? Cisco said in the advisory that its Product Security Incident Response Team (PSIRT) "is aware of attempted exploitation of this vulnerability in the wild," and strongly urged customers to update their software to a fixed version. The US Cybersecurity and Infrastructure Security Agency (CISA) also added CVE-2026-20045 to its Known Exploited Vulnerabilities (KEV) catalog on Wednesday. The KEV listing stated that it's unknown if the vulnerability has been exploited in ransomware attacks. Dark Reading contacted Cisco for comment, but the company declined to provide additional information. While the source of the exploitation activity is unclear, threat intelligence vendor SOCRadar noted in a blog post Thursday that signs indicate possible mass scanning for vulnerable instances. "Although public reports have not attributed the activity to a specific threat group, the observed exploitation behavior points to attackers scanning for exposed or poorly secured Unified Communications Management interfaces and abusing unauthenticated HTTP access to gain a foothold," SOCRadar researchers said. Also on Thursday, Arctic Wolf Labs warned that the zero-day flaw was likely to attract more attention from attackers, given the nature and severity of the vulnerability. "While Arctic Wolf has not identified a publicly available proof-of-concept exploit [PoC], threat actors are likely to continue targeting this vulnerability due to the high impact of achieving root-level access," the blog post said. "Cisco products have historically been popular targets for threat actors, as reflected in multiple prior entries within CISA’s Known Exploited Vulnerabilities catalog." Indeed, Cisco vulnerabilities have been heavily targeted by a variety of threat actors in recent years, most notably by nation-state adversaries tied to the People's Republic of China (PRC). In September, Cisco disclosed and patched several zero-day vulnerabilities that were used in an ongoing state-sponsored cyber-espionage campaign known as "ArcaneDoor." More recently, Cisco revealed in December that China-nexus threat group UAT-9686 had been exploiting a zero-day flaw that impacts Cisco's Secure Email Gateway and Secure Email and Web Manager. The critical vulnerability, tracked as CVE-2025-20393, received a max CVSS score of 10 and was patched last week. This story was updated at 8 a.m. ET on Jan. 26 to reflect that Cisco declined to comment. About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. See more from Rob Wright