Home / Vulnerabilities / CVE-2026-20230
HIGH SEVERITY
CVE-2026-20230Cisco · Unified Communications Manager

Cisco Unified Communications Manager Server-Side Request Forgery (SSRF) Vulnerability

Technical Severity

CVSS v3.1 Metrics

HIGH
8.6 / 10
Minimal Risk Critical
Vector Specification
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Exploitation Likelihood

EPSS Prediction

51.24 %
Predictive Probability
Percentile Rank
98.8 th

Documented as more likely to be exploited than 98.8% of known CVEs.

Detection Date

Jun 25, 2026

Remediation Due

Jun 28, 2026

CISA Catalog Active

Threat Analysis

Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) contain a server-side request forgery (SSRF) Vulnerability that could allow an unauthenticated, remote attacker to write files to the underlying operating system that could be used later to elevate to root.

Remediation Directive

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

External Intelligence

https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-cucm-ssrf-cXPnHcW.html

https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-cucm-ssrf-cXPnHcW.html

CISA

CISA Advisory

https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk

CISA

CISA Advisory

https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk

NVD

National Vulnerability Database

https://nvd.nist.gov/vuln/detail/CVE-2026-20230