Cisco has confirmed that attackers are actively exploiting a Cisco Unified CM vulnerability that allows remote server-side request forgery (SSRF) attacks. The flaw, tracked as CVE-2026-20230, received patches in early June, but security researchers later observed attackers using public exploit techniques against vulnerable systems.

The networking giant now urges organizations running Cisco Unified Communications Manager (Unified CM) to install the available security updates as soon as possible or apply temporary mitigations if they cannot patch immediately.

Attackers Began Exploiting the Flaw Weeks After the Patch

Cisco first disclosed the Cisco Unified CM vulnerability on June 3 when it released security updates addressing CVE-2026-20230.

At the time, the company’s Product Security Incident Response Team (PSIRT) acknowledged that proof-of-concept exploit code had already become publicly available. However, Cisco said it had not detected active attacks targeting the flaw.

That changed later in June.

Threat intelligence company Defused reported on June 22 that attackers had started exploiting the vulnerability by using specially crafted file:// payloads capable of creating files on targeted systems.

One day later, researchers at SSD Secure published a technical analysis explaining the vulnerability and released their own proof-of-concept exploit.

Cisco Now Confirms Ongoing Attacks

Cisco updated its original security advisory this week, confirming that attackers are actively exploiting CVE-2026-20230.

According to the company, its security team became aware of active exploitation during June and continues to strongly recommend that customers upgrade to a fixed software release.

The vulnerability affects Cisco Unified Communications Manager, formerly known as Cisco CallManager, which serves as the central platform for Cisco IP telephony environments by managing call routing, telephony services, and connected devices.

Attackers do not require privileges to exploit the flaw. Instead, they can send a specially crafted HTTP request that triggers a low-complexity server-side request forgery attack against vulnerable servers.

Cisco Recommends Immediate Mitigation

Organizations that cannot immediately deploy Cisco Unified CM versions 14SU6 or 15SU5—or the corresponding COP updates—should disable the vulnerable WebDialer service until they complete the upgrade.

Cisco says disabling the service blocks attacks that attempt to exploit CVE-2026-20230 through the exposed component.

Hundreds of Systems Remain Exposed

Internet monitoring organization Shadowserver currently tracks more than 200 internet-facing Cisco Unified CM instances, with most located in Asia and North America.

Researchers have not disclosed how many of those exposed systems have already installed Cisco’s security updates or remain vulnerable to ongoing attacks.

Cisco Continues to Face Active Threats Against Unified CM

Cisco has patched several high-impact Unified CM vulnerabilities in recent years.

Previous flaws, including CVE-2024-20253 and CVE-2025-20309, allowed attackers to obtain root privileges on affected systems. Another vulnerability, CVE-2026-20045, was exploited as a zero-day to achieve remote code execution before patches became available.

The broader trend also reflects the continued interest attackers show in Cisco products. Since November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added 93 Cisco vulnerabilities to its catalog of flaws actively exploited in the wild. Authorities have linked six of those vulnerabilities to ransomware campaigns.

As attackers continue targeting enterprise communication platforms, organizations running Cisco Unified CM should prioritize installing the latest security updates to reduce the risk of compromise.


0 responses to “Cisco Confirms Active Exploitation of Unified CM Vulnerability”