Cisco has officially confirmed that a vulnerability recently patched in its Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME) is being actively exploited in the field. This security flaw, identified as CVE-2026-20230, has a CVSS score of 8.6, indicating its high severity.
Description of the Vulnerability
The vulnerability stems from inadequate validation of specific HTTP requests, which can enable attackers to execute Server-Side Request Forgery (SSRF) attacks. Exploiting this weakness could result in arbitrary files being written to the underlying operating system, potentially allowing attackers to obtain root access.
Cisco has noted that only systems with the WebDialer service activated are susceptible to this flaw. However, this service is disabled by default, reducing the number of affected systems.
Patch and Advisory Updates
In early June, Cisco issued patches for this vulnerability in Unified CM and Unified CM SME version 14SU6. The company also announced that these fixes would be incorporated into version 15SU5, anticipated to be released in September. Despite previously stating that no active exploitation was occurring, Cisco updated its advisory on Wednesday to confirm that attacks exploiting this vulnerability are indeed happening.
Cisco continues to advise its customers to upgrade to a fixed software version to mitigate the risk posed by this security flaw.
Community and Industry Response
The warning from Cisco followed reports from exploit intelligence firm Defused, which observed exploitation attempts from a single source using an unverified proof-of-concept (PoC). Additionally, SSD Secure Disclosure, credited with discovering the vulnerability, has released technical details and a PoC.
At the time of earlier communications, Cisco had informed SecurityWeek that there was no evidence of malicious exploitation of this security vulnerability.
Conclusion
As the situation develops, Cisco’s confirmation of active exploitation underscores the importance of addressing this vulnerability promptly. Organizations using affected Cisco products should prioritize the application of patches to safeguard their systems.
