[KEV] CVE-2026-20230 -- CVSS 0.0 Vulnerability Briefing
[KEV] CVE-2026-20230 | CVSS 0.0 (Low) | Exploit: Operational
What Is It
CVE-2026-20230 is a server-side request forgery (SSRF) vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) that allows unauthenticated remote attackers to write arbitrary files to the underlying operating system.
Technical Detail
The flaw exists in Cisco Unified CM and Unified CM SME and can be triggered by an unauthenticated, remote attacker via a crafted SSRF request, requiring no prior authentication or user interaction. Successful exploitation allows the attacker to write files to the host operating system, which can then be leveraged in a subsequent step to escalate privileges to root. The attack chain effectively enables full system compromise through a two-stage process: initial file write via SSRF followed by local privilege escalation to root.
Exploitation Status
CISA has confirmed active exploitation in the wild, with this vulnerability added to the Known Exploited Vulnerabilities catalog on June 25, 2026. The exploit maturity is rated Operational, meaning functional exploit code capable of reliably achieving the described impact exists and is being used in real-world attacks, not merely as a proof-of-concept demonstration. Organizations running affected Cisco Unified CM deployments should treat this as an actively targeted vulnerability requiring immediate action.
Who Is Targeting This
No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been established for this vulnerability in available intelligence sources. This assessment may change as incident data is collected and analyzed following the KEV listing.
What To Do
Per CISA's Known Exploited Vulnerabilities catalog, organizations subject to BOD 22-01 must apply vendor-supplied patches or implement mitigations by the deadline specified in the KEV entry (added June 25, 2026). Administrators should apply the relevant Cisco security advisory patches for Unified CM and Unified CM SME immediately. Where patching cannot be completed immediately, restrict network access to Unified CM administrative interfaces to trusted internal hosts only and monitor for anomalous outbound connections or unexpected file creation events on Unified CM servers. Review Cisco's official security advisory for specific fixed software versions and any available workarounds. Given the unauthenticated nature of the vulnerability and the confirmed active exploitation, patch prioritization should be treated as critical regardless of the CVSS score assigned.