INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Cisco Unified CM flaw CVE-2026-20230 Exploited in Attacks
| 2026-06-25 21:54 CRITICAL HIGHExecutive Summary AI-generated
The Cisco Unified Communications Platform (CUCM) has been compromised by a sophisticated attack that leverages the Unauthenticated Server Request Forgery (SSRF) vulnerability, CVE-2026-20230. Researchers at Defused have observed attacks targeting this vulnerability within 24 hours of its public disclosure and have already identified instances where attackers have successfully exploited it to gain full control over affected CUCM platforms. This attack has significant implications for organizations that rely on Cisco's software infrastructure, particularly those using the WebDialer service with Unified CM SME deployments. The attackers' ability to exploit this vulnerability demonstrates a high level of sophistication and highlights the need for prompt action from affected organizations to mitigate potential risks.
Technical Mitigations AI-generated
* Disable WebDialer if not needed: Organizations using Cisco Unified Communications Manager (CUCM) with the WebDialer service enabled and haven't patched CVE-2026-20230 should assume they have been scanned, as it is disabled by default. This can be done through a rapid response test provided by Horizon3.ai.
* Implement Cisco's mitigations: Organizations that cannot disable WebDialer or do not need its services should implement the following mitigations:
- Immediately patch CVE-2026-20230 to prevent exploitation
- Disable WebDialer if it is enabled on affected systems
- Implement a web application firewall (WAF) with a high detection threshold and rate limiting to block HTTP requests that could be used for SSRF attacks.
* Use Apache Axis SOAP service protection: Organizations using Cisco Unified CM should ensure they are protecting the Apache Axis SOAP service, which can be exploited by attackers. This can be done through:
- Using a web application firewall (WAF) with a high detection threshold and rate limiting to block HTTP requests that could exploit the Apache Axis SOAP service.
* Monitor for SSRF attacks: Organizations should monitor their systems for signs of Server-Side Request Forgery (SSRF) attacks, which can be triggered by attackers exploiting CVE-2026-20230. This can be done through:
- Implementing a web application firewall (WAF) with a high detection threshold and rate limiting.
- Using network monitoring tools to detect suspicious HTTP requests or changes in system behavior.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-20230CVE-2026-20230
Target & Sectors
Global Scope
healthcarehealthcare
governmentgovernment
financefinance
Incident Timeline
June 3
Cisco released security updates for the CVE-2026-20230 flaw on June 3.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-20230
Cisco
released
fixed versions of the affected software June 3 and urged organizations to treat CVE-2026-20230 as a critical vulnerability rather than as a high-severity flaw, as its CVSS score of 8.6 might otherwise suggest.
Cisco released security updates for the CVE-2026-20230 flaw on June 3, warning that exploitation could give attackers root privileges on the device.
vulnerability
CVSS score of 8.6
Cisco
released
fixed versions of the affected software June 3 and urged organizations to treat CVE-2026-20230 as a critical vulnerability rather than as a high-severity flaw, as its CVSS score of 8.6 might otherwise suggest.
infrastructure
8.6
Cisco
released
fixed versions of the affected software June 3 and urged organizations to treat CVE-2026-20230 as a critical vulnerability rather than as a high-severity flaw, as its CVSS score of 8.6 might otherwise suggest.
organisation
CVSS
Cisco
released
fixed versions of the affected software June 3 and urged organizations to treat CVE-2026-20230 as a critical vulnerability rather than as a high-severity flaw, as its CVSS score of 8.6 might otherwise suggest.
general_metric
20230 CVE-2026
Cisco
released
fixed versions of the affected software June 3 and urged organizations to treat CVE-2026-20230 as a critical vulnerability rather than as a high-severity flaw, as its CVSS score of 8.6 might otherwise suggest.
2026/06/23
Threat actors used a recently disclosed Cisco CUCM vulnerability to target affected systems within under 24 hours.
June 24
Threat actors exploited a previously unknown vulnerability in Cisco CUCM within less than 24 hours.
Click on any entity below to view its context and source!
organisation
SSD Secure Disclosure's
On June 24, the activity morphed into full-scale attacks that unfolded in a manner very similar to SSD Secure Disclosure's PoC and exploit chain.
2026/06/25
Attackers weaponized the Cisco CUCM flaw CVE-2026-20230 in less than 24 hours, exploiting it to perform server-side request forgery (SSRF) attacks and gain root access.
Click on any entity below to view its context and source!
organisation
Defused
In a report this week, researchers at Defused said they observed attacks targeting CVE-2026-20230 hitting their decoy CUCM systems barely 24 hours after the PoC and exploit chain became available.
Defused says the attacks are originating from a single IP address and use properly constructed file:// payloads to create files on the device.
organisation
CUCM
In a report this week, researchers at Defused said they observed attacks targeting CVE-2026-20230 hitting their decoy CUCM systems barely 24 hours after the PoC and exploit chain became available.
organisation
Cisco Unified
Cisco Unified CM Flaw CVE-2026-20230 Actively Exploited in the Wild.
organisation
Actively Exploited
Cisco Unified CM Flaw CVE-2026-20230 Actively Exploited in the Wild.
organisation
Cisco Unified CM
Cisco Unified CM Flaw CVE-2026-20230 Actively Exploited in the Wild
Attackers exploit Cisco Unified CM flaw (CVE-2026-20230) allowing unauth HTTP requests to trigger SSRF, write files, and gain root access
Cisco Unified Communications Manager has a serious vulnerability, tracked as
CVE-2026-20230
(CVSS score of 8.6), that attackers are already exploiting.
Cisco Unified CM flaw CVE-2026-20230 now exploited in attacks.
It impacts Cisco Unified CM and Unified CM SME deployments where the WebDialer service is enabled, allowing users to place calls directly from a Web browser.
organisation
Cisco Unified Communications
Cisco Unified CM Flaw CVE-2026-20230 Actively Exploited in the Wild
Attackers exploit Cisco Unified CM flaw (CVE-2026-20230) allowing unauth HTTP requests to trigger SSRF, write files, and gain root access
Cisco Unified Communications Manager has a serious vulnerability, tracked as
CVE-2026-20230
(CVSS score of 8.6), that attackers are already exploiting.
"A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device,"
warned Cisco
.
organisation
SecurityAffairs
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking, CVE-2026-20230)
organisation
CVE-2026
Cisco Unified CM flaw CVE-2026-20230 now exploited in attacks.
organisation
PoC
Cisco CVE-2026-20230 exploit on honeypots
Source: Defused
While the flaw can be exploited in attacks to drop webshells and gain root privileges, the PoC observed by Defused appears designed to identify vulnerable devices by attempting to write a text file named '/tmp/cve-2026-20230-test.txt' to them.
The attacks appear to have begun less than 24 hours after researchers at
SSD Secure Disclosure
this week released proof-of-concept code (PoC) along with a full exploit chain for the vulnerability.
organisation
IP
Defused says the attacks are originating from a single IP address and use properly constructed file:// payloads to create files on the device.
organisation
WebDialer
It impacts Cisco Unified CM and Unified CM SME deployments where the WebDialer service is enabled, allowing users to place calls directly from a Web browser.
However, the risk depends on configuration: the vulnerability can only be exploited if the WebDialer service is enabled, which is disabled by default on affected systems.
organisation
Working Blueprint for Attacks
SSD
Working Blueprint for Attacks
SSD Secure Disclosure's PoC and exploit chain showed how an unauthenticated remote attacker could gain full control of affected CUCM platforms.
organisation
JSP
The attacker then writes a malicious JSP file into a publicly accessible CUCM Tomcat Web directory using a malicious Axis service definition.
organisation
the WebDialer SSRF
"The observed chain abuses the WebDialer SSRF to deploy a rogue Apache Axis service, uses that service to write a first-stage JSP file-writer, then drops a second-stage command-execution shell," protected by a password lifted straight from the PoC, Defused noted.
organisation
Cisco Catalyst SD-WAN
Related:
Scope of Salesforce Attacks Expands as Icarus Leaks Data
For organizations with large Cisco footprints, the CUCM exploit activity is the second urgent patching issue they have had to address this week, following reports of attacks targeting a separate vulnerability in
Cisco Catalyst SD-WAN
deployments.
victims
30 users
Cisco claims some 30 million users use the platform globally.
organisation
the Unified CM Administration
Administrators can do this through the Unified CM Administration interface by going to Unified Serviceability, opening Service Activation under Tools, and unchecking the WebDialer Web Service option in the CTI Services section before saving the changes.
organisation
CTI
Administrators can do this through the Unified CM Administration interface by going to Unified Serviceability, opening Service Activation under Tools, and unchecking the WebDialer Web Service option in the CTI Services section before saving the changes.
organisation
COP
Below are the fixed releases:
Cisco Unified CM and Unified CM SME Release
First Fixed Release
14
14SU6
15
15SU5 (Sep 2026) or COP
1
The company confirms that PoC exploit code for the vulnerability is publicly available.
victims
1 company
Below are the fixed releases:
Cisco Unified CM and Unified CM SME Release
First Fixed Release
14
14SU6
15
15SU5 (Sep 2026) or COP
1
The company confirms that PoC exploit code for the vulnerability is publicly available.
organisation
PSIRT
However, the PSIRT is not aware of attacks in the wild exploiting this issue.
organisation
SSD Secure
"
The flaw was disclosed to Cisco by SSD Secure, who did not share any technical details at the time.
organisation
BleepingComputer
BleepingComputer contacted Cisco to ask if they, too, are seeing the flaw exploited in attacks and if any IOCs can be shared with defenders, and will update the article if we receive a response.
organisation
EDR
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Tactical Metrics
Metrics
infrastructure
8.6
Software Version
Click for context!
Cisco
released
fixed versions of the affected software June 3 and urged organizations to treat CVE-2026-20230 as a critical vulnerability rather than as a high-severity flaw, as its CVSS score of 8.6 might otherwise suggest.
Metrics
victims
30,000,000
Users
Cisco claims some 30 million users use the platform globally.
Metrics
victims
1
Company
Below are the fixed releases:
Cisco Unified CM and Unified CM SME Release
First Fixed Release
14
14SU6
15
15SU5 (Sep 2026) or COP
1
The company confirms that PoC exploit code for the vulnerability is publicly available.
Intelligence Sources
BleepingComputer
2026-06-23
Cisco Unified CM flaw CVE-2026-20230 now exploited in attacks
BleepingComputer
Security Affairs
2026-06-24
Cisco Unified CM Flaw CVE-2026-20230 Actively Exploited in the Wild
Security Affairs
Dark Reading
2026-06-25
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-29T06:25
Comprehensive Tactical Telemetry
Highly Correlated Entities
24x
organisation
Identified Entity
CVSS
entity
4x
timeline
Temporal Reference
June 3
date
3x
industry
Targeted Sector
Healthcare
sector
3x
tactic
Cyber Operation Type
Privilege Escalation
tactic
3x
tactic
MITRE ATT&CK Technique
T1592.002 - Software
technique
3x
attribution
Attributing Entity
X.
authority
2x
general metric
%
54
%
Contextual Telemetry
Context Block
8 METRICS
vulnerability
Exploited CVE
CVE-2026-20230
cve
vulnerability
CVSS Score
9
score
infrastructure
Software Version
8.6
version
general metric
Cve-2026
20,230
cve-2026
general metric
Hours
24
hours
victims
Users
30,000,000
users
general metric
Sep
2,026
sep
victims
Company
1
company
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.