More than 200 Cisco Unified Communications Manager (Unified CM) instances are exposed online, most located in Asia and North America, while attackers have begun exploiting a remotely triggerable flaw tracked as CVE-2026-20230.
The vulnerability: CVE-2026-20230 and low-complexity SSRF
CVE-2026-20230 is a server-side request forgery (SSRF) vulnerability in Cisco Unified CM — the central control system for Cisco IP telephony that handles call routing, device management, and telephony features. According to published details, threat actors without privileges can exploit the flaw remotely in low-complexity SSRF attacks by sending a crafted HTTP request. Researchers and vendors subsequently published proof-of-concept exploit code demonstrating practical attack paths.
Timeline: June disclosures to Cisco confirmation
Cisco released security patches on June 3 and at that time said its Product Security Incident Response Team (PSIRT) was aware of publicly available proof-of-concept exploit code for CVE-2026-20230 but had "no evidence of active exploitation." Roughly three weeks later, on June 22, threat intelligence firm Defused revealed that attackers had begun exploiting the flaw using properly constructed file:// payloads to create files on targeted devices. On June 23, SSD Secure published a technical write-up that included a proof-of-concept exploit and an explanation of how the vulnerability works. BleepingComputer contacted Cisco at that time to ask whether the company was seeing active exploitation and whether it could share indicators of compromise, but had not received a response. The company finally confirmed this Wednesday that attackers are now exploiting CVE-2026-20230 and urged customers to secure their systems against ongoing exploitation.
Cisco PSIRT guidance and immediate mitigation
In an update to its advisory, Cisco noted: "The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerability that is described in this advisory." The advisory continues: "In June 2026, the Cisco PSIRT became aware of active exploitation of this vulnerability. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability."
Cisco recommends upgrading to fixed software releases; for those who cannot immediately install the fixes, the company shared a mitigation: disable the vulnerable WebDialer service until a patch is applied to block incoming CVE-2026-20230 attacks. The advisory also references specific fixed Unified CM versions — 14SU6 or 15SU5 (Sep 2026 or COP) — as the remediation path.
Exposure and historical context: Shadowserver, past Unified CM flaws, and CISA tracking
Internet security watchdog Shadowserver is currently tracking over 200 Cisco Unified CM instances exposed online, most of them in Asia and North America; the tracker does not provide details on how many of those instances have been secured against CVE-2026-20230 exploitation. Cisco's Unified CM has seen multiple serious patches in recent years: two flaws (CVE-2024-20253 and CVE-2025-20309) that enabled threat actors to gain root privileges, and a separate Unified CM flaw (CVE-2026-20045) that has been actively exploited as a zero-day to gain remote code execution. Separately, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has tagged 93 Cisco vulnerabilities as actively exploited in the wild since November 2021, six of which have been abused in ransomware attacks.
What this means for admins, CISA, and affected enterprises
- Admins and security teams: Patch or apply Cisco's recommended mitigations immediately. Where upgrades cannot be completed, disable the WebDialer service to block incoming CVE-2026-20230 attacks until fixed software is installed.
- CISA and defenders: The confirmation of active exploitation adds another Cisco vulnerability to the list of vendor products under active attack and underscores the need to prioritize detection and threat-hunting for SSRF activity and anomalous file creation on Unified CM hosts.
- Affected enterprises and procurement leaders: Review exposed Unified CM instances (Shadowserver reports >200 exposed) and accelerate patching schedules; consider inventory and isolation of telephony control systems to limit remote exposure while vendor updates are applied.
The arc of this episode is straightforward: a vendor patch announced on June 3; independent researchers and firms publishing exploit details; external reporting that escalated to a vendor confirmation of active exploitation. Cisco's advisory and the WebDialer mitigation give administrators concrete steps to block incoming exploit attempts, and Shadowserver's exposure count supplies a measurable, if unsettling, snapshot of attack surface. One clear, practical question remains for defenders and observers alike: how many of the more than 200 exposed Unified CM instances have been patched or had WebDialer disabled before further exploitation occurs?
Source: BleepingComputer — "Cisco finally confirms attackers exploiting Unified CM flaw"




