Cisco confirms attackers exploiting Unified CM flaw

Brajeshwar1 pts0 comments

Cisco finally confirms attackers exploiting Unified CM flaw

Home<br>News<br>Security<br>Cisco finally confirms attackers exploiting Unified CM flaw

Cisco finally confirms attackers exploiting Unified CM flaw

By Sergiu Gatlan

July 2, 2026

07:35 AM

Cisco confirmed that attackers are now exploiting a Unified Communications Manager (Unified CM) vulnerability patched in early June.

Unified CM (formerly known as Cisco CallManager) is the central control system for Cisco IP telephony systems, handling call routing, device management, and telephony features.

Threat actors without privileges can exploit the vulnerability (CVE-2026-20230) remotely in low-complexity server-side request forgery (SSRF) attacks by sending a crafted HTTP request.

Cisco said on June 3, when it released security patches to address this issue, that its Product Security Incident Response Team (PSIRT) was aware of publicly available proof-of-concept exploit code for CVE-2026-20230 but had no evidence of active exploitation.

However, roughly three weeks later, on June 22, threat intelligence firm Defused revealed that attackers had begun exploiting the flaw using properly constructed file:// payloads to create files on targeted devices.

CVE-2026-20230 exploitation (Defused)

One day later, SSD Secure also published a technical write-up that included a proof-of-concept exploit and explained how the vulnerability works.

BleepingComputer contacted Cisco at the time to ask whether they were also seeing the flaw actively exploited in attacks and whether they could share any IOCs with defenders, but we have yet to receive a response.

The company finally confirmed this Wednesday that attackers are now exploiting CVE-2026-20230 and urged customers to secure their systems against ongoing exploitation.

"The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerability that is described in this advisory," Cisco notes in an update to the original advisory.

"In June 2026, the Cisco PSIRT became aware of active exploitation of this vulnerability. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability."

Cisco has also shared mitigation measures for admins and security teams who can't immediately install Cisco Unified CM versions 14SU6 or 15SU5 (Sep 2026 or COP), advising them to disable the vulnerable WebDialer service until a patch is applied to block incoming CVE-2026-20230 attacks.

Internet security watchdog Shadowserver is currently tracking over 200 Cisco Unified CM instances exposed online, most of them in Asia and North America, but there are no details regarding how many have been secured against ongoing CVE-2026-20230 attacks.

Cisco Unified CM instances exposed online (Shadowserver)

​In recent years, Cisco has also patched two Unified CM flaws (CVE-2024-20253 and CVE-2025-20309) that enabled threat actors to gain root privileges and another Unified CM flaw (CVE-2026-20045) that has been actively exploited as a zero-day to gain remote code execution.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) tagged 93 Cisco vulnerabilities as actively exploited in the wild since November 2021, six of which have been abused in ransomware attacks.

Test every layer before attackers do

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.<br>The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

Related Articles:

Cisco warns of critical Unified CM flaw with PoC exploit code<br>Cisco warns that Unified CM has hardcoded root SSH credentials<br>CISA sets urgent deadline to fix Cisco flaw exploited in attacks<br>Cisco Unified CM flaw CVE-2026-20230 now exploited in attacks<br>CISA flags new SD-WAN flaw as actively exploited in attacks

Actively Exploited

Cisco

Cisco Unified Communications

SSRF

Unified Communications Manager

Sergiu Gatlan

Sergiu is a news reporter who has covered the latest cybersecurity and technology developments for over a decade. Email or Twitter DMs for tips.

Previous Article

Next Article

Post a Comment Community Rules

You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Upcoming Webinar

Popular Stories

U.S. offers $10 million for hackers targeting WhatsApp, Signal users

Hackers target Microsoft 365 accounts with 81 million login attempts

CISA: Windows BlueHammer flaw now exploited by ransomware gangs

Sponsor Posts

Turn Indicators into Actionable Intelligence in OpenCTI with Criminal IP

Stay one step ahead of new threats in the new year. Join Huntress for the monthly Tradecraft Tuesday.

See how Pixellot discovered and secured hundreds of unmanaged AI agent identities in weeks, not months. Read the case study.

CTI Starter Kit + 2026 SANS CTI Survey

Build a GRC agent in minutes, no code. Get early access to Agent...

cisco unified flaw attacks attackers exploited

Related Articles