Cisco has confirmed that threat actors are actively exploiting a server-side request forgery (SSRF) vulnerability in Cisco Unified Communications Manager (Unified CM), roughly a month after patches were first released and weeks after third-party researchers flagged in-the-wild abuse.
The Vulnerability
Tracked as CVE-2026-20230, the flaw affects Unified CM, formerly known as Cisco CallManager, which serves as the central control plane for Cisco IP telephony environments handling call routing, device management, and telephony features. An unauthenticated, remote attacker can exploit the vulnerability through low-complexity attacks by sending a specially crafted HTTP request, with no privileges required.
Timeline of Disclosure and Exploitation
Cisco released patches on June 3, 2026, noting at the time that proof-of-concept exploit code was publicly available but that its Product Security Incident Response Team (PSIRT) had not observed active exploitation. That changed on June 22, when threat intelligence firm Defused reported that attackers had begun exploiting the flaw using crafted file:// payloads to create files on targeted systems. The following day, SSD Secure published a technical write-up alongside its own proof-of-concept exploit.
Cisco did not publicly acknowledge active exploitation until this week, when it updated its original advisory to state that it became aware of exploitation in June 2026 and strongly urged customers to upgrade to a fixed release.
Mitigations and Patched Versions
Cisco recommends upgrading to one of the following fixed releases:
- Unified CM 14SU6
- Unified CM 15SU5 (September 2026 or COP release)
For organizations unable to patch immediately, Cisco advises disabling the vulnerable WebDialer service as a temporary mitigation to block incoming exploit attempts.
Exposure and Broader Context
Internet monitoring organization Shadowserver is currently tracking more than 200 Cisco Unified CM instances exposed to the internet, with the largest concentrations in Asia and North America. It is not known how many of those instances have been patched or otherwise protected against CVE-2026-20230 attacks.
This is not the first time Unified CM has drawn attacker interest. Cisco has previously patched CVE-2024-20253 and CVE-2025-20309, both of which could allow root-level access, as well as CVE-2026-20045, which was exploited as a zero-day for remote code execution. More broadly, the U.S. Cybersecurity and Infrastructure Security Agency has catalogued 93 Cisco vulnerabilities as actively exploited since November 2021, six of which have been tied to ransomware attacks.
Security teams with Unified CM deployments should prioritize patching or apply the WebDialer workaround immediately given confirmed active exploitation.
