CERTFR-2026-AVI-0076

Vulnerability from certfr_avis - Published: 2026-01-22 - Updated: 2026-01-22

Une vulnérabilité a été découverte dans les produits Cisco. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.

Cisco indique que la vulnérabilité CVE-2026-20045 est activement exploitée.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Cisco indique que les versions 15SU4 pour Unified CM, Unified CM IM&P, Unified CM SME, Webex Calling Dedicated Instance et Unity Connection seront disponibles en mars 2026. Des correctifs pour cette vulnérabilité sont disponibles.

Impacted products
Vendor Product Description
Cisco Unity Connection Unity Connection versions 15.x antérieures à 15SU4 ou sans le dernier correctif de sécurité
Cisco Webex Calling Dedicated Instance Webex Calling Dedicated Instance versions antérieures à 14SU5 ou sans le dernier correctif de sécurité
Cisco Unity Connection Unity Connection versions antérieures à 14SU5 ou sans le dernier correctif de sécurité
Cisco Unified Communications Manager Unified Communications Manager versions antérieures à 14SU5 ou sans le dernier correctif de sécurité
Cisco Unified Communications Manager Session Management Edition Unified Communications Manager Session Management Edition versions 15.x antérieures à 15SU4 ou sans le dernier correctif de sécurité
Cisco Unified Communications Manager Unified Communications Manager versions 15.x antérieures à 15SU4 ou sans le dernier correctif de sécurité
Cisco Unified Communications Manager Session Management Edition Unified Communications Manager Session Management Edition versions antérieures à 14SU5 ou sans le dernier correctif de sécurité
Cisco Unified Communications Manager IM & Presence Service Unified Communications Manager IM & Presence Service versions 15.x antérieures à 15SU4 ou sans le dernier correctif de sécurité
Cisco Webex Calling Dedicated Instance Webex Calling Dedicated Instance versions 15.x antérieures à 15SU4 ou sans le dernier correctif de sécurité
Cisco Unified Communications Manager IM & Presence Service Unified Communications Manager IM & Presence Service versions antérieures à 14SU5 ou sans le dernier correctif de sécurité
References

Show details on source website
To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Unity Connection versions 15.x ant\u00e9rieures \u00e0 15SU4 ou sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "Unity Connection",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Webex Calling Dedicated Instance versions ant\u00e9rieures \u00e0 14SU5 ou sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "Webex Calling Dedicated Instance",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Unity Connection versions ant\u00e9rieures \u00e0 14SU5 ou sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "Unity Connection",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Unified Communications Manager versions ant\u00e9rieures \u00e0 14SU5 ou sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "Unified Communications Manager",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Unified Communications Manager Session Management Edition versions 15.x ant\u00e9rieures \u00e0 15SU4 ou sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "Unified Communications Manager Session Management Edition",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Unified Communications Manager versions 15.x ant\u00e9rieures \u00e0 15SU4 ou sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "Unified Communications Manager",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Unified Communications Manager Session Management Edition versions ant\u00e9rieures \u00e0 14SU5 ou sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "Unified Communications Manager Session Management Edition",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Unified Communications Manager IM \u0026 Presence Service versions 15.x ant\u00e9rieures \u00e0 15SU4 ou sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "Unified Communications Manager IM \u0026 Presence Service",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Webex Calling Dedicated Instance versions 15.x ant\u00e9rieures \u00e0 15SU4 ou sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "Webex Calling Dedicated Instance",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Unified Communications Manager IM \u0026 Presence Service versions ant\u00e9rieures \u00e0 14SU5 ou sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "Unified Communications Manager IM \u0026 Presence Service",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "Cisco indique que les versions 15SU4 pour Unified CM, Unified CM IM\u0026P, Unified CM SME, Webex Calling Dedicated Instance et Unity Connection seront disponibles en mars 2026. Des correctifs pour cette vuln\u00e9rabilit\u00e9 sont disponibles. ",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2026-20045",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-20045"
    }
  ],
  "initial_release_date": "2026-01-22T00:00:00",
  "last_revision_date": "2026-01-22T00:00:00",
  "links": [],
  "reference": "CERTFR-2026-AVI-0076",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2026-01-22T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans les produits Cisco. Elle permet \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance.\n\nCisco indique que la vuln\u00e9rabilit\u00e9 CVE-2026-20045 est activement exploit\u00e9e.",
  "title": "Vuln\u00e9rabilit\u00e9 dans les produits Cisco",
  "vendor_advisories": [
    {
      "published_at": "2026-01-21",
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-voice-rce-mORhqY4b",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.