Cisco Unified CM SSRF flaw CVE-2026-20230 already exploited

CVE-2026-20230 SSRF – Cisco warns that CVE-2026-20230, a high-severity SSRF vulnerability in Unified Communications Manager, can enable unauthenticated attackers to write files and escalate to root. After disclosure, Defused reported active exploitation from a single IP address—sta

A Cisco Unified Communications Manager server is sitting behind your organization’s voice and messaging traffic—until someone sends one crafted request.

Cisco has identified CVE-2026-20230. a high-severity server-side request forgery (SSRF) vulnerability affecting Cisco Unified Communications Manager Server. and also Cisco Unified Communications Manager Session Management Edition (Unified CM SME). In its security advisory released on June 3. Cisco warned that a remote attacker without authentication could exploit the flaw and. if successful. write files to the underlying operating system in a way that could later be used to elevate privileges to root.

The problem, Cisco said, comes down to improper input validation for specific HTTP requests. An attacker would send a crafted HTTP request to an affected device, and the response could allow the attacker to write files on the system—opening the door to privilege escalation.

Cisco also said the vulnerability was disclosed to it by SSD Secure, though SSD Secure did not share technical details at the time.

That warning is no longer theoretical. After the update was released, threat intelligence firm Defused reported that exploitation has already begun. “Over the weekend we observed exploitation of CVE-2026-20230 – Cisco Unified CM (CUCM) WebDialer SSRF → root file-write (CVSS 8.6) No previously recorded exploitation. and not yet listed in CISA KEV. ” Defused wrote on X.

Defused said the attacks are originating from a single IP address and are using properly constructed file:// payloads. In its description of what it saw. the goal wasn’t to immediately take over every system—it looked like deliberate target-checking. Defused said the proof-of-concept attempts to write a text file named /tmp/cve-2026-20230-test.txt to the device.

Cisco’s advisory describes the end state as severe: attackers could use the SSRF to write files to the operating system. and those files could be used later to elevate to root. Defused’s observed behavior suggests the current wave may be reconnaissance—confirming which servers are vulnerable before moving on to heavier payloads.

After exploitation was disclosed, SSD Secure published a technical write-up explaining how the bug works and shared a proof-of-concept exploit. The researchers found that an unauthenticated attacker could abuse the Webdialer component’s handling of user-supplied URLs. Using file:// URIs, the flaw could be used to force the application to write arbitrary files to the operating system.

SSD Secure also described what it would take for a full file-write attack: the attacker first needs the target system’s hostname. The researchers demonstrated how that information can be retrieved from the device before exploitation.

Even if the first attempts look like reconnaissance, the mechanics are the same ones defenders fear. The webdialer SSRF issue can be exploited to drop webshells and gain root privileges. Defused cautioned that because the flaw has now been fully disclosed. more threat actors are likely to target Cisco Unified CM servers.

BleepingComputer contacted Cisco to ask whether Cisco is also seeing exploitation in the wild and whether any indicators of compromise can be shared with defenders, and said it would update if it receives a response.

Cisco Unified Communications Manager CVE-2026-20230 SSRF vulnerability WebDialer file:// payloads root privileges cybersecurity advisory June 3 SSD Secure Defused