Two recent Cisco Unified Communications Manager advisories — one an actively-exploited zero-day — can be scoped today using data the CUCM PowerPack already collects.
1. Summary
Cisco has disclosed two vulnerabilities affecting Unified Communications Manager. If you monitor CUCM with ScienceLogic AI Platform, you already hold the two data points needed to scope exposure: each cluster's running software release, and which services (including WebDialer) are active.
| CVE | Type | Severity | Status |
|---|---|---|---|
| CVE-2026-20045 | Remote code execution via the web management interface, no authentication required | CVSS 8.2 Critical (SIR) | CISA KEV Actively exploited in the wild |
| CVE-2026-20230 | Server-side request forgery (SSRF) that can escalate to root | CVSS 8.6 Critical (SIR) | PoC code available; no confirmed in-the-wild use. Conditional — see note. |
Why "Critical" with a sub-9 score? Cisco assigns both a Security Impact Rating of Critical — higher than the numeric CVSS suggests — because successful exploitation can lead to root access. The headline RCE (CVE-2026-20045) is the urgent one: it is unauthenticated, requires no special service to be enabled, and is being exploited now.
2. How to Check With ScienceLogic AI Platform
In order to see if you are impacted, we can use data the CUCM PowerPack already collects on each cluster's root device — the running software release and the WebDialer service state — and build a custom alert and event policy that flags an impacted cluster automatically. First, here are the releases each CVE is fixed in; the rest of this section shows how to detect them in SL1.
Both vulnerabilities are addressed in specific CUCM software releases. The RCE applies regardless of configuration; the SSRF only applies when the WebDialer service is enabled.
CVE-2026-20045 (RCE) — fixed releases
| Release train | First fixed release |
|---|---|
| 12.5 | Migrate to a fixed release |
| 14 | 14SU5 (or apply the CSCwr21851 COP patch) |
| 15 | 15SU4 (or apply the CSCwr21851 COP patch) |
Also affects Unified CM SME, Unified CM IM&P, Unity Connection, and Webex Calling Dedicated Instance. Patches are version-specific — consult the README attached to each patch.
CVE-2026-20230 (SSRF) — fixed releases
| Release train | First fixed release |
|---|---|
| 14 | 14SU6 |
| 15 | 15SU5 (or COP1) |
The SSRF has a precondition. It is only exploitable when the WebDialer service is enabled. WebDialer is disabled by default, so a cluster with WebDialer off is effectively mitigated against this CVE (though still subject to the RCE).
The approach below is generic on purpose: you are creating a custom alert that matches on a software version and checks whether a service is running. You can adapt the same pattern to other CVEs, other versions, or other services by changing the match values.
Use the right version field. "Cisco: CUCM Cluster Information" also collects an OS Version object that reports the underlying appliance operating system — that is not what Cisco's advisories reference. Match against the CUCM Version object (the Unified CM application release), not OS Version.