Hackers Exploiting Cisco Unified CM Vulnerability

Summary

Exploitation has been observed for CVE-2026-20230, a critical vulnerability in Cisco Unified Communications Manager (Unified CM). While Cisco patched the flaw in early June and initially reported no in-the-wild exploitation, exploit intelligence firm Defused has detected active attacks using an unvetted Proof of Concept. The vulnerability allows unauthenticated remote attackers to perform SSRF attacks, write arbitrary files, and escalate privileges to root, provided the WebDialer service is enabled.

Full text

A recently patched vulnerability affecting Cisco’s Unified Communications Manager (Unified CM) product is being exploited in attacks, according to exploit intelligence firm Defused. Cisco announced patches for the vulnerability, tracked as CVE-2026-20230, on June 3. The company said the critical security hole can be exploited by an unauthenticated, remote attacker to conduct SSRF attacks, write arbitrary files to the underlying operating system, and escalate privileges to root. Exploitation requires enabling the WebDialer service, which is disabled by default. When it announced fixes, Cisco noted that a PoC exploit had been available, but said it was not aware of any in-the-wild exploitation. Defused said it saw evidence of exploitation over the weekend, noting, “This is currently being exploited from a single source using an unvetted PoC, with genuinely-formatted file:// file-write payloads landing on our decoys.” Defused recently also reported seeing the exploitation of three Fortinet product vulnerabilities. Shortly after the security firm announced seeing attacks exploiting CVE-2026-20230, SSD Secure Disclosure, which Cisco credited with reporting the vulnerability, published technical details and PoC code showing how the flaw can be leveraged by an unauthenticated attacker for remote code execution. Advertisement. Scroll to continue reading. Cisco has yet to confirm exploitation in its advisory. SecurityWeek has reached out to the tech giant to find out whether it’s aware of the attacks exploiting CVE-2026-20230. Unified CM is Cisco’s flagship on-premises call control and session management platform. It serves as the core infrastructure for enterprise voice, video, and unified communications. Given that the product is used by large enterprises, CVE-2026-20230 can be highly valuable to both profit-driven cybercriminals and state-sponsored threat actors. CVE-2026-20230 has yet to be added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, and there do not appear to be other reports of exploitation. This is the second Cisco Unified CM vulnerability exploited in 2026. The first was CVE-2026-20045, which threat actors targeted as a zero-day. Cisco’s SD-WAN products have been the most targeted this year, with eight vulnerabilities exploited to date. Related: Critical Command Execution Vulnerability Patched in Cisco ISE Related: Splunk Enterprise Vulnerability Exploited in Attacks Days After Disclosure Related: Joomla, LiteSpeed Vulnerabilities Exploited in Attacks Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Eduard Kovacs Trump Signs Executive Order Accelerating Post-Quantum Cryptography Migration Xsolis Data Breach Affects 1.4 Million IndividualsDecades-Old Squid Proxy Flaw ‘Squidbleed’ Can Expose User DataNew Exploit Bypasses Apple’s Boot Defenses, Affects Millions of iPhonesTexas Parks & Wildlife Data Breach Affects 3 Million IndividualsCisco to Acquire WideField Security to Boost Splunk’s Agentic SOCSplunk Enterprise Vulnerability Exploited in Attacks Days After DisclosureAccenture to Acquire Majority Stake in Dragos, All of runZero, NetRise in $4.1 Billion OT Cybersecurity Push Latest News Anthropic’s Mythos Model Found Vulnerabilities in Classified US Government Systems, Official SaysDragos Unveils AI for OT Security Data Exposure Flaws Threaten Dify AI Platform Used by 1 Million AppsEight-Year-Old Samsung KNOX Flaw Exposed Millions of Galaxy Devices to Kernel AttacksCISO Conversations: Carl Froggett – Combining CISO and CIO at Deep InstinctAlgerian Man Extradited to US for Running Cybercrime MarketplacesFFmpeg PixelSmash Flaw Allows RCE on Video Players, Media Servers, NAS AppliancesOpenAI Refocuses Cybersecurity Efforts on Patching Over Discovery Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: How Modern Breaches Bypass MFA and Evade Detection June 17, 2026 Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes. Register Webinar: Modern Exposure Validation in the AI Era June 24, 2026 AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program. Register People on the MoveSolarWinds has appointed Justin Henkel as Chief Information Security Officer.J. Paul Haynes has joined Cinchy as Chief Executive Officer.Hatem Naguib has become Chief Executive Officer at Sysdig.More People On The MoveExpert Insights What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told the Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) The Zero-Knowledge Threat Actor and the End of Responsible Disclosure AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-20230

Entities