Skip to content
Tech News
← Back to articles

Cisco finally confirms attackers exploiting Unified CM flaw

read original more articles
Why This Matters

The confirmation of active exploitation of the Cisco Unified CM vulnerability highlights the urgent need for organizations to apply security patches and strengthen their telephony infrastructure against emerging threats. This incident underscores the importance of proactive vulnerability management in safeguarding critical communication systems from cyberattacks that can disrupt operations or compromise sensitive data.

Key Takeaways

Cisco confirmed that attackers are now exploiting a Unified Communications Manager (Unified CM) vulnerability patched in early June.

Unified CM (formerly known as Cisco CallManager) is the central control system for Cisco IP telephony systems, handling call routing, device management, and telephony features.

Threat actors without privileges can exploit the vulnerability (CVE-2026-20230) remotely in low-complexity server-side request forgery (SSRF) attacks by sending a crafted HTTP request.

Cisco said on June 3, when it released security patches to address this issue, that its Product Security Incident Response Team (PSIRT) was aware of publicly available proof-of-concept exploit code for CVE-2026-20230 but had no evidence of active exploitation.

However, roughly three weeks later, on June 22, threat intelligence firm Defused revealed that attackers had begun exploiting the flaw using properly constructed file:// payloads to create files on targeted devices.

CVE-2026-20230 exploitation (Defused)

One day later, SSD Secure also published a technical write-up that included a proof-of-concept exploit and explained how the vulnerability works.

BleepingComputer contacted Cisco at the time to ask whether they were also seeing the flaw actively exploited in attacks and whether they could share any IOCs with defenders, but we have yet to receive a response.

The company finally confirmed this Wednesday that attackers are now exploiting CVE-2026-20230 and urged customers to secure their systems against ongoing exploitation.

"The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerability that is described in this advisory," Cisco notes in an update to the original advisory.

... continue reading