Skip to main content
SecurityXP

Cisco Unified CM Flaw CVE-2026-20230 Actively Exploited in the Wild Vulnerability

· 3 min read · SecurityXP

Cisco Unified Communications Manager has a serious vulnerability, tracked as CVE-2026-20230 (CVSS score of 8.6), that attackers are already exploiting. The issue is tracked as CVE-2026-20230. It carries a CVSS score of 8.6 (HIGH).

The Vulnerability

A high-severity SSRF vulnerability, tracked as CVE-2026-20230, in Cisco Unified Communications Manager Server is now being exploited in attacks.

Further details indicate that cisco released security updates for the CVE-2026-20230 flaw on June 3, warning that exploitation could give attackers root privileges on the device.

“Over the weekend we observed exploitation of CVE-2026-20230 - Cisco Unified CM (CUCM) WebDialer SSRF → root file-write (CVSS 8.6) No previously recorded exploitation, and not yet listed in CISA KEV,” Defused warned on X.

While the flaw can be exploited in attacks to drop webshells and gain root privileges, the PoC observed by Defused appears designed to identify vulnerable devices by attempting to write a text file named ‘/tmp/cve-2026-20230-test.txt’ to them.

“A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device,”, Spokesperson

Technical Details

CVEs:

Severity:

  • CVSS 8.6, HIGH

From a technical standpoint, the vulnerability presents several concerns:

“Over the weekend we observed exploitation of CVE-2026-20230, Cisco Unified CM (CUCM) WebDialer SSRF → root file-write (CVSS 8.6)” the researchers wrote on X.

Below are the fixed releases: The company confirms that PoC exploit code for the vulnerability is publicly available.

A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root.” The flaw was disclosed to Cisco by SSD Secure, who did not share any technical details at the time.

Risk & Exposure

“A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device,” warned Cisco. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. While the flaw can be exploited in attacks to drop webshells and gain root privileges, the PoC observed by Defused appears designed to identify vulnerable devices by attempting to write a text file named ‘/tmp/cve-2026-20230-test.txt’ to them.

The researchers found that an unauthenticated attacker could abuse the Webdialer component’s handling of user-supplied URLs to force the application to write arbitrary files to the operating system using file:// URIs.

Timeline

| Date | Event | |, , |, , -| | 2026 | A high-severity SSRF vulnerability, tracked as CVE-2026-20230, in Cisco Unified Communications Manager Server is now … | | 2026 | Cisco released security updates for the CVE-2026-20230 flaw on June 3, warning that exploitation could give attackers… | | 2026 | While the flaw can be exploited in attacks to drop webshells and gain root privileges, the PoC observed by Defused ap… |

Patching & Remediation

  1. Cisco released security updates for the CVE-2026-20230 flaw on June 3, warning that exploitation could give attackers root privileges on the device.

  2. BleepingComputer contacted Cisco to ask if they, too, are seeing the flaw exploited in attacks and if any IOCs can be shared with defenders, and will update the article if we receive a response.

  3. However, the risk depends on configuration: the vulnerability can only be exploited if the WebDialer service is enabled, which is disabled by default on affected systems.

  4. There is no full workaround for this vulnerability.

  5. The networking giant recommends mitigating risk by disabling the WebDialer service until a patch is applied.

  6. Below are the fixed releases: The company confirms that PoC exploit code for the vulnerability is publicly available.

Analysis

This disclosure adds to a growing pattern of significant vulnerabilities affecting enterprise infrastructure.

Sources

  1. https://nvd.nist.gov/vuln/detail/CVE-2026-20230
  2. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/CVE-2026-20230
S SecurityXP
SecurityXP Cybersecurity News & Analysis

SecurityXP delivers daily cybersecurity news, vulnerability analysis, data breach reports, and threat intelligence.

Security Digest

Get the latest cybersecurity news, vulnerability alerts, and threat intelligence delivered to your inbox.

Related Articles