A critical Cisco Unified CM vulnerability is now under active exploitation, weeks after the company issued patches warning it could allow attackers to gain root access.
Threat intelligence firm Defused reported the exploitation on June 23. The company said it observed the activity over the weekend.
“This is currently being exploited from a single source using an unvetted PoC, with genuinely-formatted file:// file-write payloads landing on our decoys,” Defused said on X.
The flaw is tracked as CVE-2026-20230 and carries a CVSS base score of 8.6. Cisco published the advisory and patches on June 3, when it stated it was not aware of any malicious use of the vulnerability at the time of disclosure.
“This vulnerability is due to improper input validation for specific HTTP requests,” Cisco said in the advisory. “An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device.”
The flaw could allow an unauthenticated, remote attacker to “conduct server-side request forgery (SSRF) attacks through an affected device,” the advisory said. A successful exploit could let the attacker write files to the underlying operating system and elevate privileges to root, it added.
No prior record of exploitation
Defused said the weekend activity was the first exploitation of the flaw it had recorded. “No previously recorded exploitation, and not yet listed in CISA KEV,” it wrote in the X post.
Weeks before Defused reported the attacks, Cisco had acknowledged in its advisory that proof-of-concept exploit code for the flaw was already available. The Cisco Product Security Incident Response Team (PSIRT) was not aware of any malicious use of the vulnerability when the advisory was published, the company said.
Cisco did not immediately respond to a request for comment.
WebDialer service must be enabled
The flaw affects Cisco Unified CM and Unified CM SME products widely used by enterprises to manage voice, video, messaging, mobility, and conferencing services across corporate environments.
The company said the flaw can be exploited remotely if the targeted system is running a vulnerable software release and has the WebDialer service enabled.
“WebDialer is disabled by default,” Cisco noted in the advisory.
Cisco said it found no workaround that would completely address the vulnerability.
“There are no workarounds that address this vulnerability,” the company said in its advisory. “However, as a mitigation, administrators may disable the WebDialer service until a patch can be applied.”
Researcher details the file-write chain
The flaw was reported to Cisco by an independent security researcher working with SSD Secure Disclosure, Cisco said.
While Cisco’s advisory describes the issue as an SSRF vulnerability, SSD’s analysis indicates that multiple weaknesses can be combined to achieve a broader compromise of an affected system.
“The CUCM product faces a few vulnerabilities that when bundled together allow a remote attacker to gain the ability to write arbitrary files on the server, which in turn allow an unauthenticated attacker to execute code,” SSD Secure wrote in a technical write-up.
SSD said the attack chain begins with an SSRF vulnerability and can be leveraged to write arbitrary files to the server. According to the disclosure, those file-write capabilities can then be used to execute code on the affected system.
Patching and mitigation
Cisco said there are no workarounds that address the vulnerability and advised customers to upgrade to fixed software releases.
The company said the fix for the Cisco Unified CM and Unified CM SME 14 release train is 14SU6, and for the 15 train, the fix is in 15SU5, due in September 2026, or in an interim COP patch.
Neither Cisco nor Defused has publicly attributed the attacks to a specific threat actor, released indicators of compromise, or disclosed whether any organizations have been successfully compromised through exploitation of the flaw.
No Responses