Attackers Exploit Cisco Unified CM CVE-2026-20230 in the Wild

Threat intelligence firm Defused reports that a high-severity server-side request forgery issue tracked as CVE-2026-20230 in the Cisco telephony platform is now under active exploitation.

Cisco disclosed the flaw on June 3. The company warned that the bug could allow an unauthenticated remote attacker to conduct SSRF attacks through an affected device. Cisco stated the vulnerability stems from improper input validation for specific HTTP requests.

Successful exploitation could let an attacker write files to the underlying operating system that could later be used to elevate to root privileges. The issue affects both the main product and its Session Management Edition variant.

Defused observed exploitation over the weekend. The firm reported on X that it saw attacks targeting the bug, described as a WebDialer SSRF leading to root file-write with a CVSS score of 8.6. No previously recorded exploitation existed and the vulnerability was not yet listed in CISA's Known Exploited Vulnerabilities catalog at the time of the warning.

The attacks originate from a single IP address and use properly constructed file:// payloads to create files on the device. On honeypots, the observed proof-of-concept attempts to write a text file named '/tmp/cve-2026-20230-test.txt'.

SSD Secure disclosed technical details after exploitation reports. The researchers who originally reported the flaw to Cisco published a write-up explaining how an unauthenticated attacker can abuse the Webdialer component's handling of user-supplied URLs. This forces the application to write arbitrary files to the operating system using file:// URIs.

By controlling the file path and content written to disk, an attacker could achieve remote code execution and ultimately gain root privileges. Exploitation requires first obtaining the target system's hostname, which the researchers demonstrated can be retrieved from the device beforehand.

Current activity appears limited to reconnaissance. While the flaw can be used to drop webshells and gain root, the observed PoC focuses on identifying vulnerable devices. With full technical details now public, more threat actors are expected to target these servers.