Cisco has confirmed that a critical vulnerability in its Unified Communications Manager (Unified CM) and the Unified Communications Manager Session Management Edition (Unified CM SME) has been actively exploited in the wild. This vulnerability, identified as CVE-2026-20230, carries a CVSS score of 8.6. The flaw involves improper validation of specific HTTP requests which can be exploited for server-side request forgery (SSRF) attacks. If successfully exploited, it allows attackers to drop arbitrary files onto the operating system, potentially gaining root access. The vulnerability specifically affects systems where the WebDialer service is enabled, a feature that is disabled by default.
Earlier this year, Cisco released patches for this vulnerability in versions 14SU6 of Unified CM and Unified CM SME. The company also announced that these fixes would be included in the upcoming version 15SU5, expected to be released in September. Despite Cisco's initial belief that the vulnerability was not being exploited, recent updates to their advisory confirm active exploitation. This development follows reports from exploit intelligence firm Defused, which indicated that exploitation attempts had been observed from a single source using an unverified proof-of-concept (PoC) code. Cisco continues to urge its customers to upgrade to a fixed software release to mitigate this risk.
The vulnerability was initially discovered by SSD Secure Disclosure, which has since published technical details and a PoC to highlight the potential risks associated with this security flaw. Organizations using Unified CM and Unified CM SME should prioritize applying these patches to protect their systems from unauthorized access and potential data breaches.


