Threat actors have started exploiting a critical vulnerability in Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (Unified CM SME). The flaw, tracked as CVE-2026-20230 with a CVSS score of 8.6, involves improper input validation for specific HTTP requests.
An unauthenticated, remote attacker could exploit this by sending a crafted HTTP request to an affected device. Cisco said a successful exploit would allow the attacker to write files to the underlying operating system, which could later be used to escalate to root.
Security firm Defused Cyber reported observing active exploitation of the vulnerability in attacks. According to the company, the exploit is currently being used from a single source leveraging an unvetted proof-of-concept, with working file-write payloads reaching their decoy systems.
For exploitation to succeed, the WebDialer service must be enabled on the target device. It is disabled by default. Cisco has patched the vulnerability in Unified CM versions 14SU6 and 15SU5. Organizations that cannot patch immediately are advised to disable the WebDialer service as a workaround.
SSD Secure Disclosure published additional technical details, describing the flaw as allowing unauthenticated attackers to arbitrarily write files on the server by leveraging the Webdialer component to obtain the true hostname of the target and ultimately achieve code execution.
Cisco has not yet updated its advisory to reflect the active exploitation status. The company also recently released patches for a medium-severity flaw in Catalyst SD-WAN Manager (CVE-2026-20262, CVSS 6.5) that is also under active exploitation.
