Cisco Unified CM SSRF flaw exploited to drop webshells (CVE-2026-20230)

On 24 June 2026, security researchers warned that attackers had begun actively exploiting CVE-2026-20230, a critical server-side request forgery (SSRF) vulnerability in Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (SME). The flaw — caused by improper input validation of specific HTTP requests — lets an unauthenticated, remote attacker coerce the server into making crafted requests, and is being abused to write files to the underlying operating system as a stepping stone toward full compromise.

What happened

The vulnerability is reachable through Cisco's WebDialer service, a click-to-dial component. WebDialer is disabled by default, but it is routinely enabled in production enterprise telephony deployments, leaving a large installed base exposed. Cisco rated the issue Critical despite a CVSS v3.1 base score of 8.6.

After public exploit code surfaced, exploitation escalated quickly. Researchers first observed weekend reconnaissance from a single source IP sending crafted file:// payloads to write files on affected devices, before activity shifted to automated, Tor-routed sweeps dropping multi-stage JSP webshells through the WebDialer SSRF chain. The same file-write primitive can be leveraged to plant artifacts that ultimately allow escalation to root on the host.

Impact

Unified CM is the call-control core of many enterprise and government telephony estates, and a webshell on that server hands an attacker a persistent foothold inside the voice infrastructure and the network around it. Observers cautioned that patching alone may not evict an intruder who has already dropped a webshell, so exposed organisations need to hunt for implants in addition to upgrading.

Remediation

Cisco's fixes cover all affected 14.x releases prior to 14SU6 and all 15.x releases prior to 15SU5, with an interim Cisco Options Package (COP) patch available for 15.x deployments that cannot immediately move to a full service update. Disabling WebDialer where it is not required removes the exploitation path until patches can be applied.

Sources

cisco.comhttps://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-cucm-ssrf-cXPnHcW.html

bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/cisco-unified-cm-sme-flaw-cve-2026-20230-now-exploited-in-attacks/

securityweek.comhttps://www.securityweek.com/hackers-exploiting-cisco-unified-cm-vulnerability/

helpnetsecurity.comhttps://www.helpnetsecurity.com/2026/06/24/cisco-unified-cm-flaw-exploited-to-drop-webshells-cve-2026-20230/

securityaffairs.comhttps://securityaffairs.com/194153/uncategorized/cisco-unified-cm-flaw-cve-2026-20230-actively-exploited-in-the-wild.html

Related incidents

Zero-dayOngoingJune 10, 2026

Microsoft Defender 'RoguePlanet' zero-day grants SYSTEM privileges (CVE-2026-47281)

Researchers disclosed a Microsoft Defender privilege-escalation zero-day dubbed RoguePlanet (CVE-2026-47281) that abuses a race condition to redirect a SYSTEM-level file operation and hand a local attacker full SYSTEM access on fully updated Windows machines.

Victim: Microsoft Defender

Zero-dayContainedJune 9, 2026

Google patches actively exploited Chrome V8 zero-day (CVE-2026-11645)

Google shipped an emergency Chrome update fixing CVE-2026-11645, a high-severity out-of-bounds memory flaw in the V8 engine that lets a crafted web page run arbitrary code and for which an exploit already exists in the wild.

Victim: Google Chrome

Zero-dayOngoingJune 5, 2026

Cisco SD-WAN Manager zero-day exploited in the wild (CVE-2026-20245)

Cisco warned that an unpatched high-severity zero-day in Catalyst SD-WAN Manager (CVE-2026-20245) was being actively exploited to execute arbitrary commands and escalate to root, after Mandiant reported a limited number of real-world attacks.

Victim: Cisco Catalyst SD-WAN Manager

Supply chainContainedJune 4, 2026

IronWorm self-propagating malware hits 36 npm packages (2026)

Researchers disclosed IronWorm, a Rust-based, self-propagating infostealer that compromised 36 npm packages, stealing developer and CI secrets and republishing trojanized packages using stolen npm publishing credentials.

Victim: npm (Node Package Manager registry)