Cisco Unified CM flaw CVE-2026-20230 now exploited in attacks

A high-severity SSRF vulnerability (tracked as CVE-2026-20230) in Cisco Unified Communications Supervisor servers has been exploited in an assault.

Cisco launched a safety replace for the CVE-2026-20230 flaw on June 3, warning that an exploit may permit an attacker to achieve root privileges on the system.

“A vulnerability in Cisco Unified Communications Supervisor (Unified CM) and Cisco Unified Communications Supervisor Session Administration Version (Unified CM SME) may permit an unauthenticated, distant attacker to conduct a server-side request forgery (SSRF) assault through an affected system,” Cisco warned.

“The vulnerability is because of improper enter validation of sure HTTP requests. An attacker may exploit this vulnerability by sending a crafted HTTP request to an affected system. Profitable exploitation may permit the attacker to put in writing a file to the underlying working system that could possibly be later used to escalate to the working system.” root. ”

The flaw was disclosed to Cisco by SSD Safe, however no technical particulars have been shared on the time.

At this time, menace intelligence agency Defused warned that this flaw is at present being actively exploited in assaults.

“Over the weekend, we noticed an exploit of CVE-2026-20230 – Cisco Unified CM (CUCM) WebDialer SSRF → root file-write (CVSS 8.6) with no beforehand recorded exploits and never but listed in CISA KEV,” Defused warned in X.

In keeping with Defused, the assault originates from a single IP deal with and makes use of a well-constructed file:// payload to create a file on the system.

Though this flaw could possibly be exploited to drop an online shell and achieve root privileges, the PoC noticed by Defused seems to be designed to determine susceptible units by trying to put in writing a textual content file named /tmp/cve-2026-20230-test.txt to them.

After this exploit was revealed, SSD Safe printed a technical doc explaining how the vulnerability works and sharing a proof-of-concept exploit.

Researchers found that an unauthenticated attacker may exploit the Webdialer part’s dealing with of user-specified URLs and write arbitrary recordsdata to the working system utilizing a file:// URI in an software.

By controlling the file path and content material written to disk, an attacker may exploit the bug to remotely execute code and in the end achieve root privileges on a susceptible system.

SSD Safe famous that to use this vulnerability, an attacker should first receive the goal system’s hostname earlier than performing a file write assault. Nonetheless, researchers have demonstrated a strategy to retrieve that info from a tool earlier than it may be exploited.

Whereas the present exploit seems to be reconnaissance in nature, we anticipate extra attackers to focus on these servers now that the flaw is absolutely uncovered.

BleepingComputer has reached out to Cisco to ask if they’ve additionally seen this flaw being exploited and if the IOCs may be shared with defenders and can replace this text if we hear again.