What happened
CVE-2026-20230 is a server-side request forgery (SSRF) vulnerability in Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (Unified CM SME). An unauthenticated remote attacker can send a crafted HTTP request to perform SSRF attacks through the affected device, write arbitrary files to the underlying OS, and potentially escalate privileges to root. Cisco patched the flaw on June 3 2026; SSD Secure Disclosure published a PoC showing the SSRF can be leveraged for unauthenticated RCE. Exploit intelligence firm Defused observed active exploitation over the weekend prior to June 24, using file:// file-write payloads. CISA added the CVE to the KEV catalog on June 25, 2026 with a federal agency due date of June 28.
Why it matters
Cisco Unified CM is widely deployed enterprise telephony and collaboration infrastructure; it is also increasingly integrated with AI-powered communication analytics and contact-centre AI platforms. Confirmed active exploitation with a public RCE-capable PoC and a three-day federal patch deadline make this extremely urgent. AI-driven contact-centre and unified-communications deployments that sit behind Unified CM are directly exposed.
Attack vector
Unauthenticated remote attacker sends a crafted HTTP request; SSRF allows file writes to the OS which can be chained to achieve root-level RCE
Affected systems
Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (Unified CM SME) prior to 14SU6 / 15SU5
Mitigation
Apply Cisco patches to Unified CM 14SU6 / 15SU5 immediately. Cisco advisory: https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-cucm-ssrf-cXPnHcW.html. CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog