# [CRIT] CISA KEV: CVE-2026-20045 — Cisco Unified Communications Products Code Injection Vulnerability **Source:** CISA KEV **Published:** 2026-01-21 **Article:** https://www.cisa.gov/known-exploited-vulnerabilities-catalog ## Threat Profile CISA KEV entry. The U.S. federal "Known Exploited Vulnerabilities" catalog only adds CVEs that have been **observed exploited in the wild**. Federal civilian agencies are required to remediate by the published due date; the same prioritisation logic applies to any sensible enterprise SOC. Vendor / Product: **Cisco Unified Communications Products Code Injection** ## Indicators of Compromise - CVE-2026-20045 — match against your vulnerability scanner ## MITRE ATT&CK - **T1190 — Exploit Public-Facing Application** (KEV implies active exploitation against exposed assets) ## Recommended hunts Standard asset-exposure hunt — the canonical Splunk SPL and Defender KQL live once in [`../_TEMPLATES.md#asset-exposure`](../_TEMPLATES.md#asset-exposure). Substitute this CVE wherever the template references ``: - **CVE:** `CVE-2026-20045` ## Why this matters Anything in CISA KEV is *currently* being exploited. Even if your scanners say "not vulnerable" because of patches, it's worth one quick check across your fleet — patch lag is the silent killer. Federal due-date dates also frequently match the timing your organisation will be asked about by auditors / regulators. ## Source body Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance contain a code injection vulnerability that could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. Vendor: Cisco, Product: Unified Communications Manager. Federal patch due: 2026-02-11. CVE-2026-20045