A critical SSRF vulnerability, tracked as CVE-2026-20230, in Cisco Unified Communications Manager Server is now being used in the attack.
Cisco issued security updates for the CVE-2026-20230 flaw on June 3, warning that an exploit could give attackers root privileges on the device.
“A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthorized, remote attacker to conduct a server-side forgery (SSRF) attack using an affected device,” Cisco warned.
“This vulnerability is due to invalid input validation of certain HTTP requests. An attacker could exploit this vulnerability by sending a well-crafted HTTP request to an affected device. A successful exploit could allow an attacker to write files on the underlying operating system that could later be used to upload the root.”
The flaw was disclosed to Cisco by SSD Secure, which did not share any technical details at the time.
Today, threat intelligence firm Defused has warned that this flaw is being widely used in attacks.
“Over the weekend we saw the exploit CVE-2026-20230 – Cisco Unified CM (CUCM) WebDialer SSRF → root file-write (CVSS 8.6) There is no previously recorded exploit, and it is not yet listed in CISA KEV,” Defused warned on X.
Drunk says the attack originates from a single IP address and uses well-crafted file:// payloads to create files on the device.
Source: Confused
While the flaw can be used in attacks to drop webshells and gain root privileges, the PoC seen by Defused appears to be designed to target vulnerable devices by attempting to write a text file named ‘/tmp/cve-2026-20230-test.txt’ to them.
After the exploit was disclosed, SSD Secure published a technical documentation of the flaw explaining how the vulnerability works and sharing a proof-of-concept exploit.
Researchers discovered that an unauthorized attacker could abuse the Webdialer component’s handling of user-supplied URLs to force the application to write inappropriate files to the operating system using file:// URIs.
By controlling the file path and content written to disk, an attacker can exploit the bug to achieve remote code execution and ultimately gain root privileges on vulnerable devices.
SSD Secure noted that the exploit requires the attacker to first obtain the hostname of the target system before performing a file write attack. However, researchers have shown how that information can be retrieved from the device before being exploited.
While the current exploit appears to be experimental in nature, now that the flaw has been fully disclosed, we will likely see more malicious actors targeting these servers.
BleepingComputer has reached out to Cisco to ask if they, too, are aware of the flaw used in the attack and if any IOCs could be shared with defenders, and we’ll update the article when we hear back.
Security teams penetrate 54% of successful attacks and monitor 14%. Some walk around the area without being seen.
The Picus white paper shows how breaches and attack simulations evaluate your SIEM and EDR rules so that threats stop slipping through detection.
Get a white paper
