A high-severity server-side request forgery flaw in Cisco Unified Communications Manager is being actively exploited in the wild. The vulnerability, tracked as CVE-2026-20230, carries a CVSS score of 8.6 and could give attackers root access to affected devices.
Cisco released patches for the flaw on June 3, warning that improper input validation in specific HTTP requests could let an unauthenticated remote attacker write files to the underlying OS. Those files could then be used to escalate privileges all the way to root.
Threat intelligence firm Defused confirmed the exploitation over the weekend, noting that attacks originate from a single IP address using properly constructed file:// payloads. The current activity appears to be reconnaissance — attackers are writing a test file named ‘/tmp/cve-2026-20230-test.txt’ to identify vulnerable devices.
But don’t let the “reconnaissance” label fool you. SSD Secure, who originally reported the vulnerability to Cisco, published a full technical write-up showing how the bug can be chained to achieve remote code execution. An attacker abuses the Webdialer component’s handling of user-supplied URLs to force the application to write arbitrary files using file:// URIs.
There’s one wrinkle: the attacker needs the target system’s hostname before launching the file-write attack. SSD Secure demonstrated that this information can be retrieved from the device beforehand, so it’s not much of a barrier.
The flaw affects both Cisco Unified CM and the Session Management Edition. If you’re running either product and haven’t applied the June 3 patches, now would be a good time.
BleepingComputer reached out to Cisco for comment on the active exploitation and any indicators of compromise, but hadn’t received a response at time of publication.
