Unauthenticated RCE in Cisco Unified Communications Products Web Management Interface

Repository contains a single Python PoC script and a README. The script (CVE-2026-20045.py) is a network-based, unauthenticated RCE attempt against Cisco Unified Communications web/management interfaces. It iterates over several hardcoded candidate paths (/cucm-uds/, /cmplatform/, /ucmuser/, /unity/, /webexcalling/ etc.), sending a Stage-1 GET request with a base64-encoded command-injection string placed into a `query` parameter. If the response looks promising (status 200/302/500 or lacks the word 'error'), it performs Stage-2 by POSTing to the same path with an `escalate` parameter and `cmd` form field containing base64-encoded `sudo -i; {command}` to try to obtain root execution. The operator supplies the command on the CLI, enabling behaviors like running system commands, spawning a reverse shell, or downloading/executing a remote script (as shown in README examples). The code disables TLS verification (verify=False) and sets X-Forwarded-For: 127.0.0.1, suggesting an attempt to influence trust logic. Overall, this is a basic PoC with assumptions about both the injection point and privilege escalation; it is not a framework module and has minimal validation of actual command execution beyond HTTP status/response text.

Repository contains a single Python proof-of-concept exploit script and a README. Structure: - CVE-2026-20045.py: Python script that takes a target base URL and an arbitrary shell command. It iterates over a list of common Cisco Unified Communications web/management paths and performs two stages of HTTP requests: 1) Stage 1 GET request to `<base><path>?query=<base64>` where the base64 decodes to a classic command-injection string `'; <command> #`. 2) Stage 2 POST request to `<base><path>?escalate=<base64>` with form data `cmd=<base64>`, where the base64 decodes to `sudo -i; <command>`. The script prints status codes and up to 1000 characters of response body as “possible command output”. TLS verification is disabled (verify=False) and it sets `X-Forwarded-For: 127.0.0.1`. - README.md: Marketing-style writeup and usage examples (id/whoami/uname, reverse shell via /dev/tcp, and curl|bash). Lists affected Cisco UC products. Exploit capabilities: - Network-based, unauthenticated attempt at remote command execution against multiple candidate web paths. - Operator-controlled command execution (can be used for reconnaissance, reverse shell, or download/execute depending on the provided command). - Claims root execution via a second-stage `sudo -i` escalation attempt, but does not implement a specific privilege-escalation vulnerability beyond assuming sudo access. Notable observables/fingerprintables: - Targeted paths: /cucm-uds/, /cucm-uds/users, /cmplatform/, /ucmuser/, /unity/, /webexcalling/. - Query parameters used as delivery vectors: `query` and `escalate`, plus POST form field `cmd`. - Headers: `User-Agent: ... CiscoExploit/1.0` and `X-Forwarded-For: 127.0.0.1`. Overall, this is a simple PoC-style command-injection driver that sprays a small set of likely Cisco UC web endpoints and attempts to run an arbitrary command, with a follow-up request that assumes sudo-based escalation to root.