CVE-2026-20230

Confirmed PUBLISHED

Cisco Unified Communications Manager Server-Side Request Forgery Vulnerability

Cisco · Cisco Unified Communications Manager

2 days faster than CISA KEV

Exploited in the wild Active exploitation observed PoC available Virtual patch available

Recommended Action

Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.

Confidence
Confirmed
Exploitation Status
Active exploitation observed
Observed in Sensors
Yes
Attempts (30d)
496
Unique Attacker IPs
24
CISA KEV
In CISA KEV
Virtual Patch
Yes 3 targets
CVSS / EPSS
8.6 High EPSS 41.7%

At a Glance

A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device. This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root. Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root. Note: To exploit this vulnerability, the WebDialer service must be enabled. WebDialer is disabled by default.

edge cisa
CVE Published
Jun 03, 2026
Exploitation Reported
Jun 23, 2026
CVSS
8.6 High
EPSS
41.7%
Remote Low complexity No user interaction Unauthenticated

Affected Versions

Vendor Product Version Status
Cisco
Cisco Unified Communications Manager

14

Affected
Cisco
Cisco Unified Communications Manager

14SU1

Affected
Cisco
Cisco Unified Communications Manager

14SU2

Affected
Cisco
Cisco Unified Communications Manager

14SU3

Affected
Cisco
Cisco Unified Communications Manager

15

Affected
Cisco
Cisco Unified Communications Manager

15SU1

Affected
Cisco
Cisco Unified Communications Manager

14SU4

Affected
Cisco
Cisco Unified Communications Manager

14SU4a

Affected
Cisco
Cisco Unified Communications Manager

15SU1a

Affected
Cisco
Cisco Unified Communications Manager

15SU2

Affected
Cisco
Cisco Unified Communications Manager

15.0.1.13010-1

Affected
Cisco
Cisco Unified Communications Manager

15.0.1.13011-1

Affected
Cisco
Cisco Unified Communications Manager

15.0.1.13012-1

Affected
Cisco
Cisco Unified Communications Manager

15.0.1.13013-1

Affected
Cisco
Cisco Unified Communications Manager

15.0.1.13014-1

Affected
Cisco
Cisco Unified Communications Manager

15.0.1.13015-1

Affected
Cisco
Cisco Unified Communications Manager

15.0.1.13016-1

Affected
Cisco
Cisco Unified Communications Manager

15.0.1.13017-1

Affected
Cisco
Cisco Unified Communications Manager

15SU3a

Affected
Cisco
Cisco Unified Communications Manager

14SU5

Affected
Cisco
Cisco Unified Communications Manager

15SU4

Affected
Cisco
Cisco Unified Communications Manager

15SU4a

Affected

CVE References

  • cisco-sa-cucm-ssrf-cXPnHcW sec.cloudapps.cisco.com · CVE Record https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurity...

Recommended Actions

  • Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.
  • Review sensor telemetry for request paths, attacker IPs, and payload patterns that may inform detection and exposure validation.
  • Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
  • Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.