Threat actors have started exploiting a critical flaw in Cisco Unified Communications Manager and Unified Communications Manager Session Management Edition, with the bug tracked as CVE-2026-20230 and rated 8.6 out of 10. The issue can let an unauthenticated remote attacker carry out server-side request forgery through affected devices.
KEY FACTS
- Vulnerability CVE-2026-20230 affects Unified CM and Unified CM SME.
- Impact Successful exploitation could allow file writes on the underlying operating system.
- Condition The WebDialer service must be enabled for exploitation to work.
- Mitigation Cisco has patched versions 14SU6 and 15SU5.
In an official advisory, Cisco said a crafted HTTP request could trigger the flaw and let an attacker write files that might later be used to gain root access. The WebDialer feature is disabled by default, and Cisco listed steps for checking whether it is running.
Defused Cyber said it had observed active exploitation from a single source using an unvetted proof of concept, with file:// payloads reaching decoy systems. SSD Secure Disclosure later published technical details saying the bug could allow arbitrary file writes by using the WebDialer component to determine the target hostname.
Cisco has not yet updated its advisory to reflect the reported exploitation. The company also recently issued fixes for CVE-2026-20262 in Catalyst SD-WAN Manager after that flaw was found under active attack.
WHY IT MATTERS
The flaw affects communications software used in enterprise environments, and the exploitation reports raise the risk for systems that still have WebDialer enabled. Organizations running the affected versions may need to patch or disable the service to reduce exposure.