Another week, another emergency patch as Cisco plugs Unified Comms zero-day

Cisco has finally shipped a fix for a critical-rated zero-day in its Unified Communications gear, a flaw that's already being weaponized in the wild, and which CISA previously flagged as an emergency priority.

The bug, tracked as CVE-2026-20045, lurks in the web-management interfaces of Cisco Unified Communications Manager (Unified CM), Session Management Edition (SME), IM & Presence Service (IM&P), Cisco Unity Connection, and Webex Calling Dedicated Instance platforms. It allows unauthenticated remote attackers to execute arbitrary code on the underlying operating system and potentially escalate to root. 

Cisco's Product Security Incident Response Team gave it a "Critical" severity rating, even though its CVSS base score sits in the "High" range, because successful exploits can lead to full system compromise. 

The networking giant said it is "aware of attempted exploitation of this vulnerability in the wild" and has urged customers to apply fixes immediately. 

Cisco hasn't said how ...