GoKawiilA high-severity SSRF vulnerability, tracked as CVE-2026-20230, in Cisco Unified Communications Manager Server is now being exploited in attacks.
Cisco released security updates for the CVE-2026-20230 flaw on June 3, warning that exploitation could give attackers root privileges on the device.
"A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device," warned Cisco.
"This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root."
The flaw was disclosed to Cisco by SSD Secure, who did not share any technical details at the time.
Today, threat intelligence firm Defused warned that the flaw is now being actively exploited in attacks.
"Over the weekend we observed exploitation of CVE-2026-20230 - Cisco Unified CM (CUCM) WebDialer SSRF → root file-write (CVSS 8.6) No previously recorded exploitation, and not yet listed in CISA KEV," Defused warned on X.
Defused says the attacks are originating from a single IP address and use properly constructed file:// payloads to create files on the device.
Cisco CVE-2026-20230 exploit on honeypots
Source: Defused
... continue reading