嗯,用户让我用中文总结一篇文章,控制在100字以内,而且不需要用“文章内容总结”之类的开头。好的,我先看看这篇文章讲的是什么。 文章主要讲的是美国CISA机构将一个影响思科统一通信产品的漏洞加入到了已知被利用的漏洞目录中。这个漏洞的编号是CVE-2026-20045,CVSS评分为8.2,属于严重级别。攻击者可以利用这个漏洞在设备的操作系统上执行任意命令,甚至提升权限到root。 然后,文章提到了受影响的产品包括思科统一通信管理器、中小企业版、即时通讯与呈现、Unity Connection和Webex Calling专用实例。思科已经发布了补丁,并建议用户升级软件来修复这个漏洞。CISA要求联邦机构在2026年2月11日前修复这个漏洞。 好的,现在我要把这些信息浓缩到100字以内。首先点出CISA将思科的漏洞加入目录,说明漏洞的严重性和影响范围,以及修复措施和截止日期。 可能的结构:CISA将思科统一通信产品的远程代码执行漏洞加入已知被利用目录,CVSS 8.2分,允许攻击者获取用户权限并提升至root。该漏洞影响多个产品版本,思科已发布补丁。CISA要求联邦机构于2026年2月11日前修复。 检查一下字数是否在100字以内。嗯,差不多。 </think> 美国网络安全和基础设施安全局(CISA)将思科统一通信产品的远程代码执行漏洞(CVE-2026-20045)加入已知被利用漏洞目录。该漏洞CVSS评分为8.2分,允许未认证攻击者通过精心构造的HTTP请求获取用户权限并提升至root。思科已发布补丁修复该漏洞,并建议用户升级软件版本以缓解风险。CISA要求联邦机构于2026年2月11日前完成修复工作。 2026-1-22 07:54:45 Author: securityaffairs.com(查看原文) 阅读量:3 收藏
U.S. CISA adds a flaw in Cisco Unified Communications products to its Known Exploited Vulnerabilities catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw impacting Cisco Unified Communications products to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Cisco Unified Communications products vulnerability, tracked as CVE-2026-20045 (CVSS score of 8.2), to its Known Exploited Vulnerabilities (KEV) catalog.
This week, Cisco patched a critical zero-day remote code execution flaw, tracked as CVE-2026-20045 (CVSS score of 8.2), actively exploited in attacks.
An unauthenticated, remote attacker can exploit the flaw to execute arbitrary commands on the underlying operating system of an affected device.
The bug affected Cisco Unified CM, Unified CM SME, IM & Presence, Unity Connection, and Webex Calling Dedicated Instance.
“This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device.” reads the advisory. “A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.”
Below are impacted versions:
Unified CM, Unified CM IM&P, Unified CM SME, and Webex Calling Dedicated Instance
| Cisco Unified CM, Unified CM IM&P, Unified CM SME, and Webex Calling Dedicated Instance Release | First Fixed Release |
|---|---|
| 12.5 | Migrate to a fixed release. |
| 14 | 14SU5 or apply patch file:1 ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512 |
| 15 | 15SU4 (Mar 2026) or apply patch file:1 ciscocm.V15SU2_CSCwr21851_remote_code_v1.cop.sha512 ciscocm.V15SU3_CSCwr21851_remote_code_v1.cop.sha512 |
1. Patches are version-specific. Consult the README attached to the patch for details.
Unity Connection
| Cisco Unity Connection Release | First Fixed Release |
|---|---|
| 12.5 | Migrate to a fixed release. |
| 14 | 14SU5 or apply patch file:1 ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512 |
| 15 | 15SU4 (Mar 2026) or apply patch file:1 ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512 |
1. Patches are version-specific. Consult the README attached to the patch for details.
The networking giant confirmed that there are no workarounds that address this vulnerability.
“The Cisco PSIRT is aware of attempted exploitation of this vulnerability in the wild. Cisco strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability.” concludes the advisory.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by February 11, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)
如有侵权请联系:admin#unsafe.sh