A vulnerability recently patched in Cisco’s Unified Communications Manager (Unified CM) has been actively exploited by hackers, according to updates from cybersecurity firm Defused. The flaw, identified as CVE-2026-20230, was addressed by Cisco on June 3.
Details of the Vulnerability
The security issue, labeled as critical, allows unauthenticated remote attackers to execute server-side request forgery (SSRF) attacks, write arbitrary files, and escalate their privileges to root level. These attacks require the WebDialer service to be enabled, although it is typically disabled by default.
Upon releasing the patch, Cisco acknowledged the availability of a proof-of-concept (PoC) exploit but initially reported no known in-the-wild exploitation. However, recent evidence from Defused suggests otherwise.
Current Exploitation Activities
Defused has identified exploitation attempts occurring over a recent weekend. The firm noted, “We are witnessing exploitation from a single origin deploying an unvetted PoC, with file:// payloads being delivered to our decoys.” This revelation highlights active efforts by attackers to leverage the vulnerability.
In a related development, SSD Secure Disclosure, credited by Cisco for reporting the flaw, released technical details and PoC code that demonstrate how unauthenticated attackers can achieve remote code execution through this vulnerability.
Implications and Industry Response
Unified CM is a core component of Cisco’s enterprise communication infrastructure, used globally for voice and video services. The discovery of CVE-2026-20230’s exploitation underscores the potential risks it poses to large organizations, making it an attractive target for both financially motivated cybercriminals and state-sponsored actors.
Despite the evidence of exploitation, Cisco has not yet confirmed these incidents in their advisories. SecurityWeek has reached out to Cisco for comments on the matter. Additionally, this vulnerability has not been listed in CISA’s Known Exploited Vulnerabilities catalog, and no other reports have surfaced regarding its exploitation.
This situation marks the second time in 2026 that a vulnerability in Cisco Unified CM has been exploited. The first instance involved CVE-2026-20045, targeted as a zero-day. This trend highlights an ongoing focus on Cisco products by threat actors, with their SD-WAN solutions also seeing multiple vulnerabilities exploited this year.
As companies worldwide continue to rely on Unified CM for critical operations, prompt attention to security updates and patches remains essential to prevent potential breaches and maintain robust cybersecurity defenses.
