Cisco Confirms Active Exploitation of Unified CM Vulnerability CVE-2026-20230

Cisco Confirms Active Exploitation of Unified CM Vulnerability CVE-2026-20230

First seen 2 Jul 2026, 22:50 UTC BleepingcomputerOodaloopwww.securityweek.com 84% similarity 72.9
Share:

Article Content

Browse articles
ThreatCluster

Cisco has confirmed that attackers are exploiting a vulnerability in its Unified Communications Manager (Unified CM), tracked as CVE-2026-20230, which was patched on June 3, 2026. This vulnerability allows for server-side request forgery (SSRF) attacks through improperly validated HTTP requests, potentially leading to arbitrary file creation on affected systems. The flaw primarily affects systems with the WebDialer service enabled, which is disabled by default. Threat intelligence firm Defused reported active exploitation on June 22, 2026, followed by a technical write-up from SSD Secure. Cisco has urged customers to upgrade to fixed software versions 14SU6 or 15SU5 and provided mitigation measures for those unable to patch immediately. Currently, over 200 Cisco Unified CM instances are exposed online, mainly in Asia and North America. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has classified this vulnerability as actively exploited in the wild.

Key Points: • Cisco's Unified CM vulnerability CVE-2026-20230 is actively being exploited. • Attackers can execute SSRF attacks leading to arbitrary file creation on vulnerable systems. • Over 200 Cisco Unified CM instances are exposed online, prompting urgent patching.

ThreatCluster AI

Timeline

2024-01-26
CVE-2024-20253 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2025-07-02
CVE-2025-20309 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-01-21
CVE-2026-20045 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-06-03
CVE-2026-20230 patched
Cisco released security patches for the Unified CM vulnerability CVE-2026-20230.
BleepingComputer
2026-06-22
Active exploitation reported
Threat intelligence firm Defused revealed that attackers began exploiting CVE-2026-20230.
BleepingComputer
2026-06-25
CISA adds CVE-2026-20230 to KEV
CISA classified CVE-2026-20230 as actively exploited, highlighting its severity.
BleepingComputer
2026-07-02
Cisco confirms ongoing exploitation
Cisco officially acknowledged that attackers are exploiting CVE-2026-20230 and urged customers to secure their systems.
BleepingComputer

Community

Browse all →