Published on July 4, 2026

Cisco Finally Confirms Attackers Exploiting Unified CM Flaw


Severity

High

Detail

Cisco has confirmed that threat actors are actively exploiting a vulnerability in Cisco Unified Communications Manager (Unified CM), tracked as CVE-2026-20230, following the release of security patches in early June 2026. The issue affects Cisco Unified CM, the centralized call control platform used to manage Cisco IP telephony systems, making organizations that rely on Cisco voice infrastructure potential targets. Initially, Cisco acknowledged the existence of public proof-of-concept (PoC) exploit code but reported no evidence of active exploitation. However, the company has now confirmed that attackers began exploiting the vulnerability during June 2026.

According to Shadowserver, more than 200 Cisco Unified CM instances remain exposed to the internet, primarily in Asia and North America, increasing the potential attack surface for ongoing exploitation.

How?

The attacks exploit a low-complexity Server-Side Request Forgery (SSRF) vulnerability that allows unauthenticated, remote threat actors to compromise the system simply by sending a specially crafted HTTP request to a vulnerable server.

According to threat intelligence reports, attackers are leveraging this flaw by using properly constructed file:// payloads, which enables them to bypass security controls and create unauthorized files directly on the targeted devices. The speed and frequency of these attacks accelerated significantly following the public release of PoC exploit code and detailed technical write-ups, which lowered the barrier to entry and allowed threat actors to easily weaponize the flaw against internet-exposed systems.

Conclusion

This active campaign underscores the speed with which threat actors operationalize publicly available PoC exploits, especially against critical enterprise infrastructure like VoIP systems. Organizations utilizing Cisco Unified CM must act immediately to secure their communication pipelines by mitigating the risk of compromise:

  • Patches Upgrade to a fixed software release, specifically Cisco Unified CM versions 14SU6 or 15SU5.
  • If immediate patching is not logistically feasible, administrators should immediately disable the vulnerable WebDialer service to block incoming CVE-2026-20230 attack vectors.
  • Ensure Unified CM instances are not directly exposed to the public internet unless absolutely necessary and restrict access via strict firewall rules or VPNs.

Source

https://www.bleepingcomputer.com/news/security/cisco-finally-confirms-attackers-exploiting-unified-cm-flaw

https://nvd.nist.gov/vuln/detail/CVE-2026-20230

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssrf-cXPnHcW