Hot on heels of the DoS vulnerability in Palo Alto Networks’ GlobalProtect (CVE-2026-0227), security professionals are facing another major challenge. This time, Cisco announced that several of its unified communications products are affected by a critical remote code execution (RCE) vulnerability. If successfully exploited, the flaw enables hackers to execute malicious commands on the underlying OS of the device. CVE-2026-0227 was quickly spotted by the malicious actors, with Cisco noting attempts to exploit the vulnerability for in-the-wild attacks.
This latest RCE adds to an already concerning list of high-impact vulnerabilities in Cisco products disclosed at the end of last year. These include RCE flaws in Cisco ISE and SE-PIC (CVE-2025-20281, CVE-2025-20282), as well as a critical zero-day in its AsyncOS Software (CVE-2025-20393).
The increasing frequency of zero-day exploitation, combined with shrinking patch windows, is putting unprecedented pressure on SOC teams. According to the 2025 Verizon Data Breach Investigations Report, breaches originating from vulnerability exploitation increased by 34% year over year. This sharp rise underscores more proactive, defense-in-depth strategies, since reactive patching alone no longer seems sufficient.
Sign up for SOC Prime Platform, offering the world’s largest detection Intelligence dataset and covering a full pipeline from detection to simulation to take your SOC to the next level and proactively thwart APT attacks, exploitation campaigns, and cyber threats of any scale and sophistication. Press Explore Detections to reach a comprehensive context-enriched rule set addressing critical exploits, filtered by the corresponding “CVE” tag.
All detection rules can be used across multiple SIEM, EDR, and Data Lake platforms and are aligned with the latest MITRE ATT&CK® framework v18.1. Explore AI-native threat intelligence, including CTI references, attack timelines, audit configurations, triage recommendations, and more threat context each rule is enriched with.
Security teams can also leverage Uncoder AI to accelerate end-to-end detection engineering, including automatically generating rules from live threat reports, refining and validating logic, visualizing Attack Flows, converting IOCs into custom hunting queries, and instantly translating detection code across multiple languages.
CVE-2026-20045 Analysis
On January 21, 2026, Cisco patched a critical code injection vulnerability stemming from improper validation of user-supplied input in HTTP requests. The advisory details that threat actors might exploit the flaw by sending a set of crafted HTTP requests to the web-based management interface of the targeted instance. Upon exploitation, the hackers obtain user-level access to the operating system and can elevate their privileges to root.
According to the vendor, Unified CM, Unified CM Session Management Edition (SME), Unified CM IM & Presence Service (IM&P), Unity Connection, and Webex Calling Dedicated Instance are found vulnerable. In view of no workarounds being available, while in-the-wild exploitation is ongoing, Cisco urges users to apply patches immediately.
Notably, CVE-2026-20045 has been promptly added to the CISA’s Known Exploited Vulnerabilities (KEV) catalog. Federal agencies are now required to apply the corresponding updates no later than February 11, 2026, highlighting the urgency of remediation.
The fast-moving exploitation of CVE-2026-20045 suggests a rising risk of follow-on attacks against organizations worldwide. To minimize the risks of exploitation attempts, rely on SOC Prime’s AI-Native Detection Intelligence Platform, which equips SOC teams with cutting-edge technologies and top cybersecurity expertise to stay ahead of emerging threats while maintaining operational effectiveness.
The post CVE-2026-20045: Critical Zero-Day in Cisco Products Is Actively Exploited in the Wild appeared first on SOC Prime.
