Overview
- Cisco released Unified CM and Unified CM SME build 14SU6 on Wednesday to fix CVE-2026-20230 and said the patch will also be rolled into 15SU5 expected in September.
- The flaw is an input‑validation error that enables low‑complexity server‑side request forgery (SSRF) attacks that can write files to the appliance and may be used to elevate privileges to root; Cisco assigned the advisory a Critical security impact rating and lists the CVSS score as 8.6.
- Cisco’s PSIRT warned that proof‑of‑concept exploit code for the bug is publicly available but said it has not seen evidence of active exploitation in the wild.
- Only Unified CM appliances with the WebDialer web service enabled are vulnerable, and administrators can block attacks by disabling WebDialer through Unified Serviceability until they apply the 14SU6 update.
- This patch follows a string of recent Unified CM incidents, including an actively exploited January zero‑day and past backdoor and root‑escalation fixes, which together raise urgency for operators to update, monitor logs, and harden IP‑telephony infrastructure.