A flaw in Cisco Unified Communications Manager, the system that runs enterprise phone and call infrastructure, is now being exploited in attacks. The bug (CVE-2026-20230) is a server-side request forgery that lets an unauthenticated attacker send a crafted HTTP request to write files onto the underlying system, which can then be used to escalate to root and fully take over the server. Cisco patched it on June 3 and rates it critical; public exploit code has been available since, and security firms now see active exploitation attempts. The flaw is only exploitable when the WebDialer service is enabled, which is not the default.
Cisco has patched CVE-2026-20230, a critical server-side request forgery flaw in Unified Communications Manager (formerly CallManager), the central control system for Cisco IP telephony. An unauthenticated remote attacker can send a crafted HTTP request to write files to the underlying OS and later elevate to root - Cisco rated it Critical despite the CVSS score because of that root-escalation potential. Cisco's PSIRT is aware of public proof-of-concept exploit code but has not seen active exploitation yet. The flaw only affects systems with the WebDialer service enabled, which is off by default. There are no workarounds; admins should upgrade to 14SU6 or 15SU5, or disable WebDialer until patched.
Sysdig observed the first in-the-wild exploitation of CVE-2026-33626 against its honeypot fleet 12 hours and 31 minutes after the GitHub advisory went live on April 21. LMDeploy is Shanghai AI Laboratory's open source toolkit for serving vision-language and text LLMs. The flaw is in load_image() in lmdeploy/vl/utils.py: it fetches arbitrary URLs from the image_url field without validating link-local, loopback, or RFC1918 ranges. CVSS 7.5. The attacker used LMDeploy as a generic SSRF primitive over an eight-minute session - port-scanning AWS IMDS, localhost Redis, MySQL, and an admin interface. v0.12.3 fixes it.