Cisco Confirms Active Exploitation of Unified CM Vulnerability
Cisco has verified that a recently addressed vulnerability in its Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME) is being actively exploited in real-world attacks.
Vulnerability Confirmation
Cisco has verified that a recently addressed vulnerability in its Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME) is being actively exploited in real-world attacks.
Initial Advisory and PoC
The vulnerability, designated CVE-2026-20230 with a CVSS score of 8.6, stems from inadequate validation of specific HTTP requests, creating opportunities for server-side request forgery (SSRF) attacks.
Revised Advisory and Exploitation
Cisco revised its advisory to confirm that the vulnerability is now being leveraged in live attacks. The update follows reports from exploit intelligence firm Defused, which observed exploitation originating from a single source using an unvetted PoC.
Vulnerability Details
The flaw, designated CVE-2026-20230 with a CVSS score of 8.6, stems from inadequate validation of specific HTTP requests, creating opportunities for server-side request forgery (SSRF) attacks.
Technical Impact
Exploitation of this weakness could enable threat actors to deploy arbitrary files on the underlying operating system, potentially granting root-level access.
Affected Systems
The vulnerability affects devices with the WebDialer service enabled, a component that is disabled by default.
Patches and Updates
Cisco released patches for the issue in Unified CM and Unified CM SME version 14SU6 in early June, with updates also planned for version 15SU5 scheduled for September.
Released Patches
Cisco released patches for the issue in Unified CM and Unified CM SME version 14SU6 in early June.
Upcoming Updates
Updates for version 15SU5 are scheduled for September.
Security Recommendations
Cisco reiterated its recommendation for users to apply the latest software updates to mitigate the risk.
Immediate Actions
Organizations utilizing Unified CM or Unified CM SME are advised to review their configurations, disable unnecessary services, and prioritize patch management to prevent potential compromise.
Long-term Strategies
The disclosure highlights the urgency of addressing critical flaws promptly, as threat actors increasingly exploit newly disclosed vulnerabilities before official patches are widely deployed.
Broader Implications
The incident underscores the ongoing challenges of securing communication platforms, particularly those with legacy components like WebDialer.
Trend Analysis
The vulnerability’s exploitation aligns with broader trends of attackers leveraging SSRF techniques to bypass security controls and escalate privileges.
Industry Impact
Cybersecurity teams are urged to monitor for signs of unauthorized file deployment or suspicious HTTP traffic, which could indicate attempts to exploit the flaw.
Conclusion
As the threat landscape evolves, the case of CVE-2026-20230 serves as a reminder of the importance of proactive vulnerability management and the risks associated with delayed remediation.
