Cisco has confirmed that attackers are exploiting a vulnerability in Unified Communications Supervisor (Unified CM) that was patched in early June.
Unified CM (previously often known as Cisco CallManager) is the central management system for Cisco IP Telephony programs and handles name routing, gadget administration, and telephony features.
An unprivileged attacker may remotely exploit this vulnerability (CVE-2026-20230) through a low-complexity server-side request forgery (SSRF) assault by sending a crafted HTTP request.
Cisco mentioned on June 3 that its Product Safety Incident Response Group (PSIRT) was conscious of publicly out there proof-of-concept exploit code for CVE-2026-20230, however there was no proof of lively exploitation.
Nonetheless, about three weeks later, on June twenty second, menace intelligence agency Defused revealed that attackers started exploiting the flaw by creating recordsdata on focused gadgets utilizing a correctly constructed file:// payload.

A day later, SSD Safe additionally printed a technical doc containing a proof-of-concept exploit to clarify how the vulnerability works.
BleepingComputer reached out to Cisco on the time to ask if it was seeing this flaw being actively exploited in assaults and if it may share IOCs with defenders, however has not but acquired a response.
The corporate on Wednesday of this week lastly confirmed that attackers are at the moment exploiting CVE-2026-20230 and urged clients to guard their programs from continued exploitation.
“Cisco PSIRT is conscious that proof-of-concept exploit code is accessible for the vulnerability described on this advisory,” Cisco mentioned in an replace to the unique advisory.
“In June 2026, Cisco PSIRT grew to become conscious of lively exploitation of this vulnerability. Cisco continues to strongly encourage clients to improve to a set software program launch that fixes this vulnerability.”
Cisco can be sharing mitigations for directors and safety groups who can’t instantly set up Cisco Unified CM model 14SU6 or 15SU5 (September 2026 or COP), advising them to disable the susceptible WebDialer service till a patch is utilized that blocks CVE-2026-20230 assaults.
Web safety watchdog Shadowserver is at the moment monitoring greater than 200 Cisco Unified CM cases uncovered on-line, principally in Asia and North America, however particulars about what number of have been protected against the continuing CVE-2026-20230 assaults are unclear.

In recent times, Cisco has additionally patched two Unified CM flaws (CVE-2024-20253 and CVE-2025-20309) that enable menace actors to achieve root privileges, and one other Unified CM flaw (CVE-2026-20045) that’s actively being exploited as a zero-day to achieve distant code execution.
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has tagged 93 Cisco vulnerabilities as being actively exploited within the wild since November 2021, six of which had been utilized in ransomware assaults.
Safety groups doc 54% of profitable assaults and problem a warning on solely 14%. The remaining strikes invisibly via the atmosphere.
Picus’ whitepaper reveals the best way to check your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
