In recent news, a high-severity Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-20230, in Cisco Unified Communications Manager Server is currently being exploited in cyber attacks.
Cisco took immediate action by releasing security updates for the CVE-2026-20230 flaw on June 3, cautioning users that exploitation of this vulnerability could grant attackers root privileges on the affected device.
Cisco warned, “A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct SSRF attacks through the affected device.”
The vulnerability stems from improper input validation for specific HTTP requests, enabling attackers to send crafted HTTP requests to the affected device. Successful exploitation could lead to unauthorized file writing on the underlying operating system, potentially allowing elevation to root access.
Initially disclosed to Cisco by SSD Secure, the technical details of the vulnerability were not shared at the time. However, recent reports from threat intelligence firm Defused indicate active exploitation of the flaw in ongoing attacks.
Defused highlighted, “Over the weekend, we observed exploitation of CVE-2026-20230 – Cisco Unified CM (CUCM) WebDialer SSRF → root file-write (CVSS 8.6). No previously recorded exploitation, and not yet listed in CISA KEV.”
According to Defused, the attacks are traced back to a single IP address utilizing well-crafted file:// payloads to create files on the compromised device.
Although the vulnerability can be leveraged in attacks to deploy webshells and obtain root privileges, the Proof of Concept (PoC) observed by Defused primarily focuses on identifying vulnerable devices by attempting to write a specific text file to them.
Following the public disclosure of the exploitation, SSD Secure released a detailed write-up explaining the vulnerability and sharing a proof-of-concept exploit.
The researchers identified that an unauthenticated attacker could exploit the Webdialer component’s handling of user-supplied URLs to manipulate the application into writing arbitrary files to the operating system using file:// URIs.
By controlling the file path and content written to disk, an attacker could execute remote code and potentially gain root privileges on susceptible devices.
SSD Secure emphasized that exploitation necessitates the attacker to first acquire the target system’s hostname before executing the file-write attack. Nonetheless, the researchers demonstrated how this information can be extracted from the device pre-exploitation.
While the current exploitation seems reconnaissance-oriented, with the full disclosure of the flaw, it is anticipated that more threat actors will target these vulnerable servers.
BleepingComputer reached out to Cisco to inquire about any observed exploitation of the flaw and whether they can share Indicators of Compromise (IOCs) with defenders. The article will be updated upon receiving a response.
Security teams detect only 14% of successful attacks, leaving 54% unnoticed in your environment. The Picus whitepaper demonstrates how breach and attack simulation enhances your SIEM and EDR rules for improved threat detection.
Download the whitepaper now to fortify your cybersecurity defenses.
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
