CVE-2026-20045 Cisco CVE debrief

Who should care

Cisco Unified Communications Manager administrators, VoIP and collaboration platform owners, telecom/UC operations teams, vulnerability management, and incident response teams—especially if the system is internet-facing, mission-critical, or difficult to service.

Technical summary

The supplied sources identify this issue as a code injection vulnerability in Cisco Unified Communications Products, specifically Cisco Unified Communications Manager. CISA has placed it in the KEV catalog, which indicates known exploitation is a concern and that remediation should be expedited. No additional exploit mechanics, affected versions, or CVSS rating are included in the provided corpus.

Defensive priority

Urgent. KEV inclusion makes this a top-tier remediation item, with CISA’s due date set to 2026-02-11.

Recommended defensive actions

• Identify all Cisco Unified Communications Manager and related Cisco Unified Communications deployments in your environment.
• Review Cisco’s official security advisory for version-specific remediation and mitigation guidance.
• Apply vendor-recommended mitigations and updates as soon as they are available.
• If mitigations are unavailable, consider discontinuing use of the product per CISA guidance.
• For cloud services, follow applicable BOD 22-01 guidance.
• Prioritize validation, change control, and post-remediation verification before the 2026-02-11 due date.

Evidence notes

This debrief is based only on the supplied CISA KEV metadata and the referenced official links. The corpus confirms: CVE-2026-20045; vendor Cisco; product Cisco Unified Communications Manager; vulnerability name 'Cisco Unified Communications Products Code Injection Vulnerability'; KEV dateAdded 2026-01-21; dueDate 2026-02-11; and CISA’s recommended action to apply vendor mitigations, follow BOD 22-01 for cloud services, or discontinue use if mitigations are unavailable. No CVSS score/severity or deeper technical specifics were provided.

Official resources