Cisco Unified Communications Manager Server-Side Request Forgery Vulnerability
Summary
A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device.
CISA Known Exploited Vulnerability
- Listed:
- Jun 25, 2026 · federal remediation due Jun 28, 2026
- Required action:
- Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
- Ransomware use:
- Unknown
KEV is a prioritization signal from CISA — remediation detail still comes from the vendor advisory.
- Scope: This vulnerability affects Cisco Unified CM and Unified CM SME if they have the WebDialer service enabled.
- Release 14 (first fixed: 14SU6)
- Release 15 (first fixed: 15SU5 (Sep 2026) or COP1)
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
- 14SU6
- 15SU5 (Sep 2026) or COP1
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
Mitigation checklist
- Upgrade to the first fixed release for your train per the Fixed Releases table in this advisory.
- Release 14: upgrade to 14SU6.
- Release 15: upgrade to 15SU5 (Sep 2026) or COP1.
- There are no workarounds that address this vulnerability. However, as a mitigation, administrators may disable the WebDialer service until a patch can be applied.
- To disable WebDialer, complete the following steps:
- Log in to the Cisco Unified CM Administration interface.
- From the Navigation menu, choose Cisco Unified Serviceability and click Go.
- From the Tools menu, choose Service Activation.
- In the CTI Services section of the page, uncheck the Cisco WebDialer Web Service check box and click Save.
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.