Cisco Warns of Available PoC for Critical Unified CM Vulnerability

Cisco on Wednesday rolled out patches for a high-severity vulnerability in Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME), warning that proof-of-concept (PoC) code for it exists.

Tracked as CVE-2026-20230 (CVSS score of 8.6), the bug stems from input in specific HTTP requests not being properly validated, allowing attackers to mount server-side request forgery (SSRF) attacks.

“An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root,” Cisco explains in its advisory.

According to the company, the security defect should be considered critical because it could provide attackers with root privileges on the affected device.

Cisco also notes that only appliances with the WebDialer service enabled are impacted. The service is disabled by...

Copyright of this story solely belongs to securityweek.com. To see the full text click HERE