Cisco Unified CM Flaw Faces Active Exploitation After PoC Release
Attackers are actively exploiting CVE-2026-20230, a critical flaw in Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (Unified CM SME), shortly after technical details and proof-of-concept code became public. Cisco said the bug stems from improper input validation in certain HTTP requests and can let an unauthenticated attacker perform SSRF, write arbitrary files to the underlying operating system, and potentially escalate privileges to root; researchers also described a path to unauthenticated remote code execution. Exploitation requires the WebDialer service to be enabled, although Cisco notes it is disabled by default.
Exploit intelligence firm Defused reported seeing attacks from a single source using an unvetted PoC, with file:// file-write payloads observed against decoy systems over the weekend. Cisco patched the issue in Unified CM 14SU6 and 15SU5, while SSD Secure Disclosure, which reported the vulnerability, published additional technical details showing how attackers could recover a target's true hostname and progress toward code execution. Cisco has advised customers to apply the fixes and, if patching cannot be done immediately, disable WebDialer to reduce exposure on widely deployed enterprise voice platforms.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Defused observes active exploitation of CVE-2026-20230
Over the weekend, Defused reported seeing active exploitation from a single source using an unvetted proof-of-concept. Its decoy systems were hit with file-write payloads targeting the flaw.
SSD Secure Disclosure publishes technical details and PoC
Shortly after Cisco's patch, SSD Secure Disclosure published technical details and proof-of-concept code for the vulnerability. The material showed the issue could be leveraged for unauthenticated remote code execution, including obtaining the target's true hostname and enabling a path toward code execution.
Cisco discloses and patches CVE-2026-20230 in Unified CM
On 2026-06-03, Cisco disclosed and patched CVE-2026-20230, a critical vulnerability in Unified Communications Manager and Unified CM SME. Cisco said the flaw could allow unauthenticated SSRF, arbitrary file writes to the underlying operating system, and potential privilege escalation to root when WebDialer is enabled.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Cisco Unified CM Flaw CVE-2026-20230 Actively Exploited in the Wild
securityaffairs.com
Open sourceCritical Cisco Unified CM and SME Flaw Enables Remote Attacker to Launch SSRF Attacks
cybersecuritynews.com
Open sourceCisco Unified CM Flaw Exploited After PoC Reveals File-Write Path to Root
thehackernews.com
Open sourceHackers Exploiting Cisco Unified CM Vulnerability - SecurityWeek
securityweek.com
Open sourceAttackers exploit Cisco Unified CM flaw weeks after patch release | CSO Online
csoonline.com
Open sourceCisco Unified CM flaw actively exploited to drop webshells (CVE-2026-20230) - Help Net Security
helpnetsecurity.com
Open sourceCisco Unified Communications Manager Arbitrary File Write to RCE - SSD Secure Disclosure
ssd-disclosure.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Cisco Unified CM SSRF Could Lead to Root Privilege Escalation
Cisco disclosed **CVE-2026-20230**, a server-side request forgery vulnerability in **Cisco Unified Communications Manager (Unified CM)** and **Unified CM Session Management Edition (Unified CM SME)** that can be exploited remotely without authentication. The flaw stems from improper input validation in specific HTTP requests, and Cisco said successful exploitation could let an attacker write files to the underlying operating system and later escalate privileges to **root**. Cisco assigned the issue a **Critical** security impact rating even though the CVSS v3.1 profile is listed as High severity. The vulnerability affects **Release 14** versions prior to **14SU6** and **Release 15** versions prior to **15SU5** or the relevant **COP** update. Cisco noted that exploitation requires the **WebDialer** service to be enabled, and that service is disabled by default, but Canadian authorities warned that **proof-of-concept exploit code is available** and urged organizations to review Cisco’s advisory and apply updates promptly.
Jun 5, 2026
Active Exploitation of Cisco Unified Communications RCE (CVE-2026-20045)
Cisco released fixes for a **critical remote code execution** vulnerability in Unified Communications and *Webex Calling Dedicated Instance*, tracked as **CVE-2026-20045**, after it was **actively exploited as a zero-day**. The issue stems from **improper validation of user-supplied input in HTTP requests** to the web-based management interface; successful exploitation can provide **user-level OS access** and enable **privilege escalation to root**. Affected products include **Cisco Unified Communications Manager (Unified CM)**, **Unified CM Session Management Edition (SME)**, **Unified CM IM & Presence**, **Cisco Unity Connection**, and **Webex Calling Dedicated Instance**; Cisco provided version-specific remediations including fixed releases and `.cop` patch files (e.g., `ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512`). CISA added **CVE-2026-20045** to its **Known Exploited Vulnerabilities (KEV) Catalog**, citing evidence of active exploitation and highlighting code injection flaws as a common attack vector with significant risk to the federal enterprise. Under **Binding Operational Directive (BOD) 22-01**, Federal Civilian Executive Branch agencies are required to remediate KEV-listed vulnerabilities by the specified due date, and CISA urged all organizations to similarly prioritize patching to reduce exposure to ongoing attacks.
Mar 21, 2026
Cisco SD-WAN Authentication Bypass Exploited for Admin Access and Persistence
Cisco disclosed and patched **CVE-2026-20182**, a critical `CVSS 10.0` authentication bypass flaw in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager** that has been exploited in the wild. The bug affects the `vdaemon` control-plane service over **DTLS/UDP 12346** and allows an unauthenticated attacker to impersonate a trusted peer, gain high-privilege administrative access, reach **NETCONF** on `TCP/830`, and manipulate SD-WAN fabric configuration. Rapid7 said the flaw stems from missing authentication checks when a peer claims to be a vHub device, enabling attackers to inject SSH keys for the `vmanage-admin` account and establish persistent access; Cisco said there are **no workarounds** and released fixed software versions for affected on-premises, cloud, managed-cloud, and FedRAMP deployments. Cisco Talos attributed the most sophisticated exploitation of `CVE-2026-20182` with high confidence to **UAT-8616**, which was observed adding SSH keys, modifying NETCONF settings, and escalating privileges to root, with infrastructure overlap noted with Operational Relay Box networks. Talos also reported broader ongoing attacks against SD-WAN environments, including widespread exploitation of previously disclosed **CVE-2026-20133**, **CVE-2026-20128**, and **CVE-2026-20122** after public proof-of-concept release, leading to deployment of JSP webshells such as **XenShell**, **Godzilla**, and **Behinder**, along with tools including Sliver, AdaptixC2, XMRig, gsocket, and credential-stealing scripts. **CISA added CVE-2026-20182 to the KEV catalog** and ordered federal agencies to remediate quickly, while Cisco and national cyber agencies urged organizations to preserve forensic evidence, review logs for unauthorized peering and `vmanage-admin` public-key logins, and patch all vulnerable control components immediately.
Jun 8, 2026