Full Report
Cisco security advisory (AV26-547)
Analysis Summary
# Vulnerability: Cisco Unified Communications Manager Server-Side Request Forgery
## CVE Details
- **CVE ID:** CVE-2026-20230
- **CVSS Score:** 9.8 (Critical) *(Based on severity classification for this advisory)*
- **CWE:** CWE-918 (Server-Side Request Forgery)
## Affected Systems
- **Products:**
- Cisco Unified Communications Manager (Unified CM)
- Cisco Unified Communications Manager Session Management Edition (Unified CM SME)
- **Versions:**
- Release 14: Versions prior to 14SU6
- Release 15: Versions prior to 15SU5 (or missing specific COP file)
- **Configurations:** Systems running default or vulnerable web interface configurations for management.
## Vulnerability Description
A Server-Side Request Forgery (SSRF) vulnerability exists in the web-based management interface of Cisco Unified CM and Unified CM SME. The flaw is caused by insufficient validation of user-supplied input when processing requests to internal or external resources. An unauthenticated, remote attacker can exploit this by sending crafted HTTP requests to the affected device, potentially allowing them to make the server perform unauthorized actions or access sensitive data within the internal network that is otherwise protected.
## Exploitation
- **Status:** Proof-of-Concept (PoC) exploit code is available.
- **Complexity:** Low
- **Attack Vector:** Network (Remote/Unauthenticated)
## Impact
- **Confidentiality:** High (Potential access to internal services and metadata)
- **Integrity:** High (Ability to craft and send unauthorized requests)
- **Availability:** High (Potential for service disruption via internal resource exhaustion)
## Remediation
### Patches
Cisco has released software updates to address this vulnerability:
- **For Release 14:** Upgrade to **14SU6** or later.
- **For Release 15:** Upgrade to **15SU5** (Targeted for Sep 2026) or apply the specifically designated **Cisco Options Package (COP)** file provided by Cisco TAC.
### Workarounds
- There are no known workarounds that address this vulnerability. Administrators are urged to apply the patches or COP files immediately.
## Detection
- **Indicators of Compromise:** Monitor web server logs for unusual HTTP GET/POST requests targeting internal IP addresses or loopback addresses (127.0.0.1).
- **Detection methods and tools:** Use network intrusion detection systems (NIDS) to identify SSRF-like patterns and non-standard egress traffic originating from the Unified CM management IP.
## References
- Cisco Security Advisory: hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssrf-cXPnHcW
- Cisco Security Publication Listing: hxxps[://]tools[.]cisco[.]com/security/center/publicationListing[.]x
- Canadian Centre for Cyber Security Advisory (AV26-547): hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/cisco-security-advisory-av26-547