Patch Now: Two Critical Cisco Unified CM Flaws — a Zero-Day and a Public Exploit
Cisco is rushing to fix critical Unified CM flaws, one a zero-day and one with public exploit code, both giving attackers root access. Patch now.
If your organisation runs Cisco's calling and collaboration software, this is a patch-now situation. Cisco has disclosed critical vulnerabilities in its Unified Communications Manager, the system that powers enterprise phone and video calling, and attackers are already taking advantage.
Two critical flaws
The most urgent issue is CVE-2026-20230, a critical server-side request forgery (SSRF) flaw in Unified Communications Manager and its Session Management Edition. Proof-of-concept exploit code is already public, which sharply raises the risk of real-world attacks. The flaw lives in improper input validation of certain HTTP requests handled by the WebDialer service, a component that is off by default but is commonly switched on in enterprise deployments. An unauthenticated attacker, with no login required, can send crafted requests to write arbitrary files on the underlying system and escalate privileges all the way to root.
Separately, Cisco has fixed CVE-2026-20045, a critical remote-code-execution flaw affecting Unified Communications and Webex Calling that was actively exploited as a zero-day. A successful attack gives an intruder a foothold on the operating system that can then be elevated to root.
Why this matters
Communications systems are an attractive target because they sit deep inside corporate networks and are almost always online. Root access on one of these servers can become a launch point for spying on calls, moving laterally, or deploying ransomware. The combination of public exploit code and confirmed in-the-wild attacks means the window to act safely is short.
What to do
- Identify and update. Find any affected Unified CM and Webex Calling deployments and apply the fixed release. CVE-2026-20230 is fixed in Unified CM 14SU6, with version 15 due to be patched in 15SU5 and interim COP patches available now.
- Mitigate if you cannot patch immediately. For the SSRF flaw, disable the WebDialer service through the Service Activation menu until you can update.
- Hunt for compromise. Given active exploitation, review logs for unusual requests and signs of intrusion, not just patch and move on.
Critical, unauthenticated, root-level, with a public exploit and active attacks: this flaw checks every box that should move a patch to the top of the queue.