Cisco confirmed that a recently patched vulnerability in its Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME) has been exploited in the wild.
Tracked as CVE-2026-20230 (CVSS score of 8.6), the security defect is described as the improper validation of specific HTTP requests, which could allow attackers to mount SSRF attacks.
Successful exploitation of the bug could lead to arbitrary files being dropped to the underlying operating system, which could then be used to gain root access.
Only appliances with the WebDialer service enabled are vulnerable, Cisco says. The service is disabled by default.
In early June, Cisco rolled out patches for the CVE in Unified CM and Unified CM SME version 14SU6 and announced that the fixes would also be included in version 15SU5, which is expected to arrive in September.
Cisco warned that proof-of-concept (PoC) code targeting the vulnerability exists, but said it was not aware of its in-the-wild exploitation.
On Wednesday, the company updated its advisory to warn customers that the security defect is being actively exploited in attacks.
“Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability,” the company said.
The warning comes a week after exploit intelligence firm Defused reported seeing exploitation “from a single source using an unvetted PoC” and after SSD Secure Disclosure, which was credited with finding the bug, published technical information and a PoC.
At the time, Cisco told SecurityWeek it was not aware of any malicious use of the security weakness.
Related: Cisco SD-WAN Zero-Day Exploited Months Before Patching
Related: Critical Command Execution Vulnerability Patched in Cisco ISE
Related: Cisco Patches Another SD-WAN Zero-Day Exploited in Attacks
Related: Cisco Patches Critical Vulnerability in Secure Workload