Attackers have begun actively exploiting a critical flaw in Cisco Unified Communications Manager (CUCM) to gain root access on vulnerable systems.
The attacks appear to have begun less than 24 hours after researchers at SSD Secure Disclosure this week released proof-of-concept code (PoC) along with a full exploit chain for the vulnerability.
SSRF to Root
The vulnerability, tracked as CVE-2026-20230, is an input validation flaw that allows an unauthenticated remote attacker to perform server-side request forgery (SSRF) against affected devices and escalate privileges to root. It impacts Cisco Unified CM and Unified CM SME deployments where the WebDialer service is enabled, allowing users to place calls directly from a Web browser. The service is disabled by default.
Cisco released fixed versions of the affected software June 3 and urged organizations to treat CVE-2026-20230 as a critical vulnerability rather than as a high-severity flaw, as its CVSS score of 8.6 might otherwise suggest.
CUCM is a central communications management platform that allows organizations to manage a complete range of voice, video, and messaging services. Cisco claims some 30 million users use the platform globally. CVE-2026-20230 is an SSRF vulnerability, a collection of flaws that give attackers a way to trick a server into sending HTTP requests to arbitrary internal or external resources. On communications platforms like CUCM, such bugs can be especially dangerous because they can provide a path to management and provisioning services, application server components, and other trusted internal services.
Working Blueprint for Attacks
SSD Secure Disclosure’s PoC and exploit chain showed how an unauthenticated remote attacker could gain full control of affected CUCM platforms. The attack chain begins with a specially crafted HTTP request to the WebDialer service, which causes CUCM to interact with internal services not normally exposed externally, including an Apache Axis SOAP service. The attacker then writes a malicious JSP file into a publicly accessible CUCM Tomcat Web directory using a malicious Axis service definition. That JSP is used to drop a second JSP Web shell in the same location, which the attacker can use for remote code execution and eventual privilege escalation to root.
In a report this week, researchers at Defused said they observed attacks targeting CVE-2026-20230 hitting their decoy CUCM systems barely 24 hours after the PoC and exploit chain became available. A few days prior, Defused observed someone scanning for and tagging vulnerable CUCM systems. On June 24, the activity morphed into full-scale attacks that unfolded in a manner very similar to SSD Secure Disclosure’s PoC and exploit chain. “A public PoC for CVE-2026-20230 was weaponized inside 24 hours,” Defused said. “The observed chain abuses the WebDialer SSRF to deploy a rogue Apache Axis service, uses that service to write a first-stage JSP file-writer, then drops a second-stage command-execution shell,” protected by a password lifted straight from the PoC, Defused noted.
Assume Compromise?
Organizations using CUCM with WebDialer enabled and haven’t patched CVE-2026-20230 should assume they have been scanned, the company noted.
Horizon3.ai released what it’s calling a rapid response test that organizations can use to verify if the vulnerability is exploitable in their specific environments. “The test executes real attack techniques without causing damage, giving teams immediate clarity on exposure,” Horizon3.ai said. In posts on X, the security vendor urged affected organizations to implement Cisco’s mitigations for the vulnerability immediately or to disable WebDialer if not needed. “Unified CM powers communications infrastructure across healthcare, finance, government, and enterprise environments,” Horizon3.ai observed.
For organizations with large Cisco footprints, the CUCM exploit activity is the second urgent patching issue they have had to address this week, following reports of attacks targeting a separate vulnerability in Cisco Catalyst SD-WAN deployments.
Don’t miss the latest Dark Reading Confidential podcast, Do CISOs Need a Code of Ethics?. Kickbacks, no-show jobs, “dirty” VCs, and shelfware — industry expert Robert “RSnake” Hansen explains why he thinks it’s time for a CISO code of ethics. It could ensure cybersecurity bosses aren’t engaged in self-dealing that could risk enterprise, and even national, security. Listen now!

No responses yet