Cisco Unified CM SSRF Flaw CVE-2026-20230 Now Actively Exploited in Attacks
Cisco warns that a high-severity SSRF vulnerability in Unified Communications Manager is being actively exploited, urging immediate patching.
Cisco has issued an urgent warning that CVE-2026-20230, a high-severity server-side request forgery (SSRF) vulnerability affecting Cisco Unified Communications Manager (Unified CM) and Unified CM SME, is now being actively exploited in the wild. The flaw, which carries a CVSS score of 8.6, allows an unauthenticated attacker to send arbitrary requests to internal services, potentially leading to further compromise of the network.
The vulnerability resides in the web-based management interface of Unified CM and Unified CM SME. By sending specially crafted HTTP requests, an attacker can trick the server into making requests to internal systems that would otherwise be inaccessible. This SSRF vector can be used to scan internal networks, access sensitive data, or pivot to other vulnerable services behind the firewall.
Cisco has confirmed that proof-of-concept exploit code is publicly available, and the company is aware of active exploitation attempts targeting unpatched systems. The advisory notes that no workarounds are available, leaving software updates as the only mitigation. Administrators are urged to apply the fixed releases immediately.
The affected products are widely deployed in enterprise telephony and collaboration environments. Unified CM serves as the call-processing component of Cisco's unified communications suite, handling voice, video, and messaging for organizations of all sizes. The SME variant is tailored for service provider environments, extending the attack surface to critical infrastructure.
Cisco has released software updates for all supported versions of Unified CM and Unified CM SME. The patches are available through the Cisco Software Download Center. The company has not yet added this CVE to the CISA Known Exploited Vulnerabilities (KEV) catalog, but given active exploitation, inclusion is likely imminent.
This incident follows a pattern of increasing SSRF vulnerabilities being weaponized by attackers. SSRF flaws are particularly dangerous because they bypass traditional perimeter defenses, allowing attackers to interact with internal systems from the internet. Organizations that have not yet patched should treat this as a critical priority, especially those in sectors like healthcare, finance, and government where Unified CM is common.
Cisco's advisory also reminds customers to verify the integrity of downloaded software and to follow best practices for securing management interfaces, such as restricting access via ACLs and using VPNs for remote administration. As exploitation continues, the window for proactive defense is closing rapidly.