**U.S. CISA Adds Flaw in Cisco Unified Communications Products to Its Known Exploited Vulnerabilities Catalog**
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken a significant step in protecting the nation's critical infrastructure by adding a critical vulnerability impacting Cisco Unified Communications products to its Known Exploited Vulnerabilities (KEV) catalog.
**A Critical Zero-Day Flaw in Cisco Products**
Recently, Cisco patched a critical zero-day remote code execution flaw, tracked as CVE-2026-20045 (CVSS score of 8.2), which is actively being exploited by attackers. The vulnerability allows an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device.
**Affected Products**
The bug affects several Cisco Unified Communications products, including:
* Cisco Unified CM * Unified CM SME * IM & Presence * Unity Connection * Webex Calling Dedicated Instance
According to Cisco's advisory, "This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device."
**Consequences of Exploitation**
A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root, giving them complete control over the compromised device.
**No Workarounds Available**
Cisco has confirmed that there are no workarounds that can address this vulnerability. The company strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability.
**Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities**
The CISA has issued Binding Operational Directive (BOD) 22-01, which requires federal agencies to address identified vulnerabilities by the due date to protect their networks against attacks exploiting flaws in the catalog.
**Recommendations for Private Organizations**
Experts recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure. The CISA orders federal agencies to fix the vulnerabilities by February 11, 2026.
**Stay Informed with Security Affairs**
To stay up-to-date on the latest cybersecurity news and alerts, follow me on Twitter: @securityaffairs and Facebook and Mastodon (SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog).