CISCO has released patches for a critical vulnerability (CVE-2026-20230, CVSS score 8.6) in its Unified Communications Manager and Session Management Edition, which could allow server-side request forgery attacks leading to root access. The vulnerability is due to improper validation of specific HTTP requests. The impacted systems have the WebDialer service enabled, which is normally off by default. Cisco also addressed two medium-severity vulnerabilities in Webex Meetings and Finesse that could enable XSS attacks.
None of these vulnerabilities have been exploited up to now, but proof-of-concept code for the critical flaw is available.