CISCO has patched a critical vulnerability in its Unified CM system, tracked as CVE-2026-20230, which allows unauthenticated attackers to execute server-side request forgery (SSRF) attacks. The flaw arises from improper validation of HTTP requests and potential exploitation could lead to root privilege escalation. Cisco rated the vulnerability as critical due to its serious implications, especially when the WebDialer service is enabled.
Although public exploit code is available, Cisco's PSIRT has not noted any active attacks exploiting this issue. Users are advised to disable the WebDialer service until patches are applied. The first fixed releases for affected systems are noted as 14SU6 for Unified CM 14 and 15SU5 for Unified CM 15.