Cisco Unified CM Vulnerability Now Actively Exploited in Attacks
A critical vulnerability in **Cisco Unified Communications Manager** (**Unified CM**), tracked as **CVE-2026-20230**, is now being actively exploited by threat actors. Initially patched in early June with a publicly available Proof-of-Concept (PoC), **Cisco** has confirmed that the Server-Side Request Forgery (SSRF) flaw is under active attack, urging customers to apply patches or implement mitigations immediately.
Cisco has confirmed that a critical vulnerability within its **Unified Communications Manager** (**Unified CM**) software, identified as **CVE-2026-20230**, is now under active exploitation. The flaw, a Server-Side Request Forgery (SSRF), allows unauthenticated attackers to remotely execute low-complexity attacks by sending a specially crafted HTTP request.

### The Path to Active Exploitation
**Cisco** first released patches for **CVE-2026-20230** on June 3, acknowledging the existence of public Proof-of-Concept (PoC) exploit code. At that time, there was no evidence of active exploitation in the wild.
However, the situation quickly evolved. By June 22, threat intelligence firm **Defused** reported that attackers had begun exploiting the vulnerability. They were observed using specific `file://` payloads to create files on targeted devices.

The following day, **SSD Secure** published a detailed technical write-up, complete with a PoC exploit, further illustrating the vulnerability's mechanics.
### Cisco Confirms Active Exploitation and Urges Action
After initial reports, **Cisco** officially confirmed this week that **CVE-2026-20230** is indeed being actively exploited. The company has updated its security advisory, strongly recommending that customers upgrade to a fixed software release to remediate the vulnerability.
In cases where immediate patching is not feasible, **Cisco** advises administrators and security teams to disable the vulnerable WebDialer service. This mitigation can effectively block incoming attacks targeting **CVE-2026-20230** until a permanent patch, such as **Cisco Unified CM** versions 14SU6 or 15SU5 (Sep 2026 or COP), can be applied.
### Scope and Prior Cisco Vulnerabilities
Internet security watchdog **Shadowserver** currently tracks over 200 **Cisco Unified CM** instances exposed online, predominantly in Asia and North America. The extent to which these systems have been secured against the ongoing exploitation of **CVE-2026-20230** remains unclear.

This is not the first time **Cisco Unified CM** has been targeted. In recent years, **Cisco** has addressed other critical flaws in the platform, including **CVE-2024-20253** and **CVE-2025-20309**, which allowed attackers to gain root privileges. Another significant vulnerability, **CVE-2026-20045**, was exploited as a zero-day to achieve remote code execution.
The **U.S. Cybersecurity and Infrastructure Security Agency** (**CISA**) has cataloged 93 **Cisco** vulnerabilities as actively exploited in the wild since November 2021, with six of these being leveraged in ransomware attacks. This underscores the persistent threat landscape faced by **Cisco** product users and the critical importance of timely patching and proactive security measures.