Skip to content

Cisco Unified CM: Critical Vulnerability Actively Exploited Weeks After Patch

Bottom line: The Cisco vulnerability CVE-2026-20230 (CVSS 8.6) is being actively exploited weeks after patch release in June and enables root access through SSRF and file operations.

A critical vulnerability in Cisco Unified CM is already being actively exploited, even though the vendor only released patches in early June. Threat intelligence company Defused reported the first observed exploitation attempts on June 23, 2024.

The vulnerability is designated CVE-2026-20230 and has been rated with a CVSS base score of 8.6. Cisco published the advisory and patches on June 3 and stated at the time that it had no indications of malicious use. Defused documented exploitation activity for the first time on the weekend of June 22/23 and described the attacks as “genuinely-formatted file:// file-write payloads from a single source using an unverified PoC”.

The underlying problem lies in insufficient input validation for certain HTTP requests. An unauthenticated remote attacker can attack an affected installation through server-side request forgery (SSRF). After successful exploitation, files can be written to the operating system and privileges can be escalated to root level. The security researcher report from SSD Secure Disclosure reveals that multiple vulnerabilities are combined: the SSRF element enables write operations, which can then be used to execute code on the system.

Cisco Unified CM and Unified CM SME are widely deployed enterprise systems for voice, video, messaging, mobility and conferencing services. The vulnerability can be exploited remotely if the WebDialer component is enabled — however, this is disabled by default. Defused confirmed: this is the first recorded exploitation of the vulnerability, which has not yet been added to the CISA Known Exploited Vulnerabilities (KEV) registry.

Cisco states that there is no workaround for the vulnerability. As an interim mitigation, administrators are advised to disable the WebDialer service. Patches for the 14-series release train are available in version 14SU6; for the 15-series train, the fix 15SU5 is scheduled to be released in September 2026 or via an interim COP patch. Neither Cisco nor Defused have identified the attacker or published indicators of successful compromises.


Source: www.csoonline.com · Published June 24, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.

Share on: