Critical Cisco Unified CM Bug Patched as Public Exploit Code Emerges
Critical Cisco Unified CM Bug Patched as Public Exploit Code Emerges
Publish Date: 2026-06-04 09:10:12
Source Domain: securityaffairs.com
Critical Cisco Unified CM Bug Patched as Public Exploit Code Emerges
Cisco has released a patch to address a critical vulnerability, CVE-2026-20230, in its Unified CM and Unified CM SME products, which can be exploited remotely without authentication to execute server-side request forgery (SSRF) attacks. The vulnerability stems from improper validation of certain HTTP request inputs that could, in certain configurations, allow attackers to write files to the underlying operating system and potentially escalate to root privileges. Cisco emphasized that proof-of-concept exploit code for the flaw is publicly available, raising the urgency for affected systems to take action. Cisco advised against using the WebDialer service to mitigate risk until patches are applied and released. The fixed versions of the software are 14.14S.U6 and 15.S.U5, depending on the system variant. Despite exploit code being available, Cisco has reported no instances of in-the-wild attacks exploiting this vulnerability.
Key Points:
- Cisco patched a high-severity CVE-2026-20230 in Unified CM and Unified CM SME allowing SSRF attacks without authentication.
- Proof-of-concept exploit code for the vulnerability is publicly available.
- Mitigation involves disabling the WebDialer service through the Unified CM Administration interface.
- No confirmed in-the-wild exploitation of this vulnerability has been reported.
- Patched versions are 14.14SU6 and 15.SU5 for Unified CM and Unified CM SME respectively.
