Cisco Warns of Available PoC for Critical Unified CM Vulnerability
The high-severity flaw can be exploited remotely, without authentication, in server-side request forgery (SSRF) attacks. The post Cisco Warns of Available PoC for Critical Unified CM Vulnerability appeared first on SecurityWeek.
Cisco on Wednesday rolled out patches for a high-severity vulnerability in Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME), warning that proof-of-concept (PoC) code for it exists.
Tracked as CVE-2026-20230 (CVSS score of 8.6), the bug stems from input in specific HTTP requests not being properly validated, allowing attackers to mount server-side request forgery (SSRF) attacks.
“An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root,” Cisco explains in its advisory.
Source: https://www.securityweek.com/cisco-warns-of-available-poc-for-critical-unified-cm-vulnerability/
Related breach coverage
- Critical Cisco Unified CM Bug Patched as Public Exploit Code Emerges2026-06-04
Cisco patched a critical Unified CM flaw with public PoC code that allows unauthenticated attackers to launch SSRF attacks remotely. Cisco has addressed a high-severity vulnerability, tracked as CVE-2026-20230, affecting Unified CM and Unified CM SME. The flaw, caused by improper validation of certain HTTP requests, allows a remote attacker without authentication to perform server-side […]
- Unpatched ChromaDB Vulnerability Can Lead to Server Takeover2026-05-19
The security defect can be exploited remotely, without authentication, to execute arbitrary code and leak sensitive information. The post Unpatched ChromaDB Vulnerability Can Lead to Server Takeover appeared first on SecurityWeek.
- Mirasvit Vulnerability Exploited to Execute Code on Magento Servers2026-06-04
A flaw in the Full Page Cache Warmer extension can be exploited without authentication via serialized PHP object payloads. The post Mirasvit Vulnerability Exploited to Execute Code on Magento Servers appeared first on SecurityWeek.
- Drupal Patches Highly Critical Vulnerability Exposing Websites to Hacking2026-05-21
CVE-2026-9082 can be exploited without authentication for information disclosure, privilege escalation, and remote code execution. The post Drupal Patches Highly Critical Vulnerability Exposing Websites to Hacking appeared first on SecurityWeek.