Cisco Unified CM Flaw CVE-2026-20230 Actively Exploited in the Wild

A critical vulnerability in Cisco's Unified Communications Manager (Unified CM) is being actively exploited in the wild, according to exploit intelligence firm Defused. The flaw, tracked as CVE-2026-20230, was patched by Cisco on June 3 but attackers are now weaponizing it against enterprise targets as recently as this past weekend, leveraging a proof-of-concept (PoC) exploit that had been circulating prior to the disclosure.

The vulnerability allows an unauthenticated, remote attacker to conduct Server-Side Request Forgery (SSRF) attacks, write arbitrary files to the underlying operating system, and escalate privileges to root. Exploitation requires the WebDialer service to be enabled, which is disabled by default. Defused reported observing exploitation from a single source using an unvetted PoC, with file:// file-write payloads landing on their decoy systems. Shortly after these reports surfaced, SSD Secure Disclosure, the security firm credited with reporting the vulnerability, published full technical details and PoC code demonstrating how the flaw can be leveraged by an unauthenticated attacker for remote code execution (RCE).

Cisco has yet to confirm in-the-wild exploitation in its official advisory, and CVE-2026-20230 has not yet been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Unified CM serves as Cisco's flagship on-premises call control and session management platform, used by large enterprises as core infrastructure for voice, video, and unified communications, making it a high-value target for both profit-driven cybercriminals and state-sponsored threat actors. This marks the second Cisco Unified CM vulnerability exploited in 2026, following CVE-2026-20045, which threat actors targeted as a zero-day. Cisco's SD-WAN products have been the most heavily targeted this year, with eight vulnerabilities exploited to date.

Security teams running Unified CM should immediately apply Cisco's June 3 patch, audit WebDialer service configurations, and review network logs for indicators of compromise. Network administrators can use a port scanner to verify exposed Cisco management interfaces and confirm firewall rules are properly restricting access. Defenders should also run an SSL/TLS checker on Unified CM endpoints to validate certificate configurations, and monitor for any unusual outbound connections that may indicate SSRF-based reconnaissance activity.