Cisco has issued security updates addressing a critical vulnerability in its Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME). The issue, identified as CVE-2026-20230 with a CVSS score of 8.6, has a proof-of-concept (PoC) exploit available.
Details of the Vulnerability
At the core of the vulnerability is the improper validation of input in certain HTTP requests, which opens the door to server-side request forgery (SSRF) attacks. An attacker could leverage this flaw by sending a malicious HTTP request to a vulnerable system, potentially allowing them to write files to the operating system. This can be a stepping stone to gaining root access, Cisco highlighted in their advisory.
The vulnerability is considered critical because of the possibility of privilege escalation, and it primarily affects devices with the WebDialer service enabled. Notably, this service is turned off by default, reducing the risk for many users.
Cisco’s Mitigation Measures
To counteract this threat, Cisco has released a patch in Unified CM and Unified CM SME version 14SU6. They also announced plans to include these fixes in the upcoming version 15SU5, scheduled for release in September. Despite the presence of the PoC, Cisco states that there have been no known exploits in the wild.
The Cisco Product Security Incident Response Team (PSIRT) stresses the importance of applying these patches promptly to safeguard against potential attacks. Users can find detailed information on how to apply these updates in Cisco’s security advisories.
Additional Security Updates
In conjunction with this critical patch, Cisco has also addressed two medium-severity vulnerabilities in its Webex Meetings and Finesse platforms. These vulnerabilities, which stem from insufficient user input validation, could allow unauthenticated attackers to execute cross-site scripting (XSS) attacks or inject arbitrary files into user sessions. Users are advised to update their systems accordingly to mitigate these risks.
While Cisco confirms that neither of these vulnerabilities has been publicly exploited, the presence of these security flaws underscores the need for vigilance and timely application of security updates.
For more information on these and other security issues, customers are encouraged to review Cisco’s security advisories page.
Related security updates from other organizations include warnings about exploited Linux Kernel vulnerabilities, critical flaws in HP VoIP phones, and Oracle’s monthly patch release addressing numerous vulnerabilities.
