Critical Cisco CUCM Flaw Exploited Within 24 Hours of PoC Release

A critical vulnerability in Cisco Unified Communications Manager (CUCM), tracked as CVE-2026-20230, has been actively exploited by attackers less than 24 hours after proof-of-concept (PoC) code was released. The flaw allows unauthenticated remote attackers to perform server-side request forgery (SSRF) and escalate privileges to root. It affects Cisco Unified CM and Unified CM SME deployments where the WebDialer service is enabled, which is disabled by default. Cisco rated the vulnerability as critical with a CVSS score of 8.6 and released patches on June 3. Researchers from Defused observed attacks targeting their decoy CUCM systems shortly after the PoC was made public. The exploit involves sending crafted HTTP requests to the WebDialer service, allowing attackers to write files to the underlying operating system, potentially leading to full administrative control. Organizations are advised to disable the WebDialer service until patches can be applied.

Key Points: • CVE-2026-20230 is a critical SSRF vulnerability in Cisco CUCM exploited within 24 hours of PoC release. • Attackers can gain root access by exploiting the WebDialer service, which is disabled by default. • Cisco has released patches and recommends disabling the WebDialer service as a temporary mitigation.