Cisco finally confirms attackers exploiting Unified CM flaw
Cisco confirmed that attackers are now exploiting a Unified Communications Manager (Unified CM) vulnerability patched in early June. [...]
AI Analysis
Technical Summary
CVE-2026-20230 is a server-side request forgery (SSRF) vulnerability in Cisco Unified Communications Manager that allows unauthenticated remote attackers to send crafted HTTP requests to exploit the system. Cisco patched this vulnerability in early June 2026 with fixed releases 14SU6 and 15SU5. Initially, Cisco was aware of public proof-of-concept exploit code but had no evidence of active exploitation. However, by late June 2026, threat actors began actively exploiting the flaw, using file:// payloads to create files on affected devices. Cisco confirmed ongoing exploitation and strongly recommends upgrading to patched versions. For environments unable to patch immediately, Cisco advises disabling the WebDialer service to block attacks. Shadowserver reports over 200 exposed Unified CM instances online, primarily in Asia and North America. This vulnerability adds to a series of recent critical flaws in Unified CM actively exploited in the wild.
Potential Impact
The vulnerability enables unauthenticated remote attackers to perform SSRF attacks against Cisco Unified CM, potentially allowing them to create files on the targeted system. This could lead to unauthorized system manipulation or further compromise. Active exploitation has been confirmed, increasing the risk to organizations running vulnerable versions of Unified CM. The exposure of over 200 instances online increases the attack surface. The impact is significant given Unified CM's role in managing IP telephony and call routing infrastructure.
Mitigation Recommendations
Cisco has released official patches in Unified CM versions 14SU6 and 15SU5 (September 2026 or COP) that fully remediate CVE-2026-20230. Customers are strongly urged to upgrade to these fixed releases as soon as possible. For those unable to patch immediately, Cisco recommends disabling the vulnerable WebDialer service to block incoming exploitation attempts. Monitor vendor advisories for updates and apply patches promptly to prevent ongoing exploitation.
Cisco finally confirms attackers exploiting Unified CM flaw
Description
Cisco confirmed that attackers are now exploiting a Unified Communications Manager (Unified CM) vulnerability patched in early June. [...]
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-20230 is a server-side request forgery (SSRF) vulnerability in Cisco Unified Communications Manager that allows unauthenticated remote attackers to send crafted HTTP requests to exploit the system. Cisco patched this vulnerability in early June 2026 with fixed releases 14SU6 and 15SU5. Initially, Cisco was aware of public proof-of-concept exploit code but had no evidence of active exploitation. However, by late June 2026, threat actors began actively exploiting the flaw, using file:// payloads to create files on affected devices. Cisco confirmed ongoing exploitation and strongly recommends upgrading to patched versions. For environments unable to patch immediately, Cisco advises disabling the WebDialer service to block attacks. Shadowserver reports over 200 exposed Unified CM instances online, primarily in Asia and North America. This vulnerability adds to a series of recent critical flaws in Unified CM actively exploited in the wild.
Potential Impact
The vulnerability enables unauthenticated remote attackers to perform SSRF attacks against Cisco Unified CM, potentially allowing them to create files on the targeted system. This could lead to unauthorized system manipulation or further compromise. Active exploitation has been confirmed, increasing the risk to organizations running vulnerable versions of Unified CM. The exposure of over 200 instances online increases the attack surface. The impact is significant given Unified CM's role in managing IP telephony and call routing infrastructure.
Mitigation Recommendations
Cisco has released official patches in Unified CM versions 14SU6 and 15SU5 (September 2026 or COP) that fully remediate CVE-2026-20230. Customers are strongly urged to upgrade to these fixed releases as soon as possible. For those unable to patch immediately, Cisco recommends disabling the vulnerable WebDialer service to block incoming exploitation attempts. Monitor vendor advisories for updates and apply patches promptly to prevent ongoing exploitation.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/cisco-finally-confirms-attackers-exploiting-unified-cm-flaw/","fetched":true,"fetchedAt":"2026-07-02T11:52:00.685Z","wordCount":755}
Threat ID: 6a4650e027e9c79719d08c31
Added to database: 07/02/2026, 11:52:00 UTC
Last enriched: 07/02/2026, 11:52:16 UTC
Last updated: 07/03/2026, 01:20:14 UTC
Views: 21
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.