• Category: Security
  • Status: confirmed
  • Sources: NVD, SecurityWeek, CISA KEV
  • Summary: CVE-2026-20230 (CVSS 8.6) is an unauthenticated server-side request forgery in Cisco Unified Communications Manager caused by improper input validation of HTTP requests. A crafted request can write files to the underlying OS, chainable to root code execution. Cisco published the advisory and patches on 2026-06-03 with no exploitation known at disclosure; exploitation using file:// payloads was observed over the following weeks, and CISA added it to the KEV catalog on 2026-06-25 (catalog 2026.06.25, count 1629).
  • Why it matters: Unified CM is widely deployed enterprise telephony infrastructure, and a public PoC plus KEV listing raises the priority of patching exposed instances.
  • Follow-up: Track federal remediation deadline, victim disclosures, and whether the file-write primitive is chained to confirmed RCE in the wild.

Send feedback on this story