Cisco Unified CM CVE-2026-20230 Under Active Exploitation with Webshells Dropped

Cisco Unified Communications Manager (Unified CM) is facing active exploitation of a critical vulnerability, CVE-2026-20230, which allows unauthenticated attackers to execute server-side request forgery (SSRF) attacks. The flaw, stemming from improper input validation in HTTP requests, enables attackers to write files to the underlying operating system and potentially gain root access. Threat intelligence firm Defused reported automated attacks deploying multi-stage command-execution webshells, confirmed on June 24, 2026. The vulnerability has been known since Cisco's patch release on June 3, 2026, but many systems remain exposed due to the WebDialer service being enabled. Affected versions include Unified CM 14.x prior to 14SU6 and 15.x prior to 15SU5. Cisco has advised disabling the WebDialer service as a mitigation step until patches can be applied. The situation is urgent as the attacks are ongoing and exploit a critical flaw in widely used enterprise telephony systems.

Key Points: • CVE-2026-20230 allows unauthenticated SSRF attacks and root access on Cisco Unified CM. • Active exploitation confirmed with webshells being deployed via automated Tor-routed sweeps. • Organizations are urged to disable WebDialer service until patches are applied to mitigate risk.