Key Takeaways
- CVE-2026-20230 is now being actively exploited in the wild, just 20 days after Cisco released patches
- The SSRF vulnerability allows unauthenticated attackers to write arbitrary files and gain root privileges
- Current attacks appear to be reconnaissance, but full exploit code is now public
Attackers are now exploiting CVE-2026-20230, a high-severity SSRF vulnerability in Cisco Unified Communications Manager that lets unauthenticated attackers gain root privileges. Threat intelligence firm Defused confirmed active exploitation over the weekend, just 20 days after Cisco released patches.
The vulnerability, rated CVSS 8.6, affects both Cisco Unified CM and Unified CM Session Management Edition. An attacker can send crafted HTTP requests to force the server to write arbitrary files to the underlying operating system. From there, privilege escalation to root is straightforward.
How CVE-2026-20230 works
The flaw sits in the WebDialer component's handling of user-supplied URLs. According to SSD Secure, who originally disclosed the bug to Cisco, an attacker can abuse file:// URIs to write files anywhere on the system. By controlling both the file path and content, attackers can drop webshells or malicious scripts that execute with root privileges.
Cisco's advisory put it plainly: "This vulnerability is due to improper input validation for specific HTTP requests. A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root."
One catch exists. Exploitation requires the attacker to first obtain the target system's hostname. SSD Secure demonstrated this isn't much of a barrier. The hostname can be retrieved directly from the device before launching the file-write attack.
What the attacks look like so far
Defused spotted exploitation originating from a single IP address. The payloads use properly constructed file:// requests to create files on vulnerable servers.
The current activity appears to be reconnaissance. Attackers are attempting to write a text file named '/tmp/cve-2026-20230-test.txt' to identify vulnerable systems. They're mapping the attack surface before deploying actual payloads.
That window is closing. SSD Secure published a full technical writeup and proof-of-concept exploit after Defused confirmed active exploitation. With working exploit code now public, more threat actors will pile on.
Why this matters for enterprise networks
Cisco Unified Communications Manager sits at the heart of enterprise VoIP deployments. Cisco holds over 70% of the enterprise unified communications market, meaning hundreds of thousands of organizations run this software. A compromised Unified CM server gives attackers a foothold inside the network with root-level access to a trusted system.
The vulnerability is unauthenticated. No credentials needed. If your Unified CM server is reachable, it's vulnerable until patched.
CISA hasn't yet added CVE-2026-20230 to the Known Exploited Vulnerabilities catalog, but that's likely coming. Once listed, federal agencies will have a deadline to patch.
What to do now
Cisco released patches on June 3. If you haven't applied them, do it today. There are no workarounds for this vulnerability.
- Check for files named 'cve-2026-20230-test.txt' in /tmp as an indicator of compromise
- Review logs for unusual HTTP requests to the WebDialer component
- Monitor for unexpected file creation or modification on Unified CM servers
- Restrict network access to Unified CM management interfaces where possible
BleepingComputer has contacted Cisco for additional IOCs and details on observed attacks. No response yet.
Another recent example of enterprise software being exploited through trusted components
Logicity's Take
Twenty days from patch to exploitation is fast, but not unusual for high-value Cisco infrastructure. What's notable here is the reconnaissance phase. Attackers are being methodical, fingerprinting vulnerable systems before launching real payloads. Organizations that patch this week will likely dodge the actual attacks. Those that wait another two weeks won't be so lucky. The public PoC changes the calculus entirely.
Frequently Asked Questions
What is CVE-2026-20230?
CVE-2026-20230 is a high-severity SSRF vulnerability in Cisco Unified Communications Manager that allows unauthenticated attackers to write arbitrary files and escalate to root privileges. It has a CVSS score of 8.6.
Is CVE-2026-20230 being actively exploited?
Yes. Threat intelligence firm Defused confirmed active exploitation starting over the weekend of June 21-22, 2026. Current attacks appear focused on identifying vulnerable systems.
How do I patch CVE-2026-20230?
Cisco released security updates on June 3, 2026. Apply the latest patches for Unified CM and Unified CM SME through your normal Cisco update process. There are no workarounds available.
How can I tell if my Cisco Unified CM was targeted?
Check for the presence of '/tmp/cve-2026-20230-test.txt' on your servers. This file indicates an attacker probed your system. Also review HTTP logs for unusual requests to the WebDialer component.
Need Help Implementing This?
If your team needs guidance on patching Cisco Unified CM or investigating potential compromise, reach out to your Cisco TAC contact or a qualified incident response firm. Don't wait on this one.
Source: BleepingComputer
Huma Shazia
Senior AI & Tech Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.
