Source linked

Cisco Unified CM Flaw CVE-2026-20230 Under Active Reconnaissance Attacks

bleepingcomputer.com@silent_shark2 hours ago·Cybersecurity·2 comments

Attackers are exploiting an unpatched SSRF vulnerability in Cisco Unified Communications Manager to write files to the OS, using a reconnaissance payload to map vulnerable servers.

ciscounified communications managerssrfcve 2026 20230active exploitationvulnerability

Attackers are actively exploiting CVE-2026-20230, a high-severity SSRF vulnerability in Cisco Unified Communications Manager that allows unauthenticated remote file writes to the operating system.

Reconnaissance Payloads Hit Production Systems

Threat intelligence firm Defused tweeted over the weekend that they observed exploitation of CVE-2026-20230 from a single IP address. The attack uses crafted file:// payloads to write a file named /tmp/cve-2026-20230-test.txt to the target device. That's a textbook recon pattern: touch a canary file, see if it persists, confirm the server is exploitable.

Cisco released security updates on June 3, warning that successful exploitation could give an attacker root privileges. The bug lives in the WebDialer component of Unified CM and Unified CM Session Management Edition. Improper input validation on HTTP requests lets an attacker force the server to write arbitrary files via file:// URIs. SSD Secure originally reported the flaw to Cisco and published a technical write-up with PoC after Defused announced active exploitation.

Why This Matters More Than Usual

SSRF bugs that allow file writes to the OS are rare in VoIP infrastructure. Unified CM sits at the core of enterprise telephony, often exposed to internal networks but sometimes reachable from the internet. The attack requires knowing the target hostname first, but SSD Secure demonstrated how to extract that information from the device pre-exploitation. So the barrier is low.

Current activity looks like scanning, but now that SSD Secure's full technical details and PoC are public, expect ransomware groups and botnet operators to weaponize this within days. CISA has not yet added CVE-2026-20230 to the KEV catalog, but defenders should treat it as actively dangerous right now.

What to Do

Patch immediately if you haven't applied the June 3 Cisco updates. Block external access to WebDialer endpoints if possible. Monitor for unexpected file creations in /tmp and for outbound SSRF-style HTTP requests from Unified CM servers. The single attacking IP Defused observed is a starting point, but the attacker will rotate.

This is the moment where a disclosed, patchable, actively exploited vulnerability crosses from theoretical to operational threat. If your Cisco voice infrastructure isn't patched this week, you're inviting a root-level compromise into your call management plane.

Source: Cisco Unified CM flaw CVE-2026-20230 now exploited in attacks
Domain: bleepingcomputer.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
World Leaks Dumps Apple Manufacturing Schematics in Tata Electronics Hack

The extortion-only group leaked PCB designs and SDK files from the Apple iPhone supplier, weeks after the breach.

Xsolis Phishing Breach Exposes 1.4M Patient Records, Including SSNs and Medical Data

A targeted phishing attack on January 20 gave attackers access to names, SSNs, and treatment data for 1,396,519 individuals. The AI-driven healthtech firm detected the intrusion two days later.

New ClickFix Attack Uses Terminal to Silently Mount DMGs and Deploy AMOS

Palo Alto Networks Unit 42 uncovered a macOS ClickFix campaign that uses a single Terminal command to download, mount, and launch Atomic macOS Stealer without the user ever seeing a Finder window.

Hubbell Aclara Metrum Missing Auth Lets Attackers Crash Grid Devices

An unauthenticated attacker can remotely reset Aclara Metrum cellular web interfaces, triggering communications loss; CVSS 4.0 score of 8.7 and firmware v2.1.0.105 patch available.

Comments load interactively on the live page.