A critical vulnerability in Cisco's Unified Communications Manager (Unified CM) product has been exploited by attackers just weeks after a patch was released to address the issue. The flaw, tracked as CVE-2026-20230, allows an unauthenticated remote attacker to conduct server-side request forgery (SSRF) attacks and write arbitrary files to the underlying operating system, potentially leading to root-level access.

What Happened

The vulnerability was first disclosed by Cisco on June 3, when it released patches for the issue. At the time, the company stated that it was not aware of any malicious use of the vulnerability. However, threat intelligence firm Defused reported on June 23 that they had observed exploitation of the flaw over the weekend.

Defused noted that the attacks were originating from a single IP address and used properly constructed file:// payloads to create files on the device. The company also stated that this was the first recorded exploitation of the flaw, and it was not yet listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

Background and Context

Cisco Unified CM is a widely used product for managing voice, video, messaging, mobility, and conferencing services across corporate environments. The vulnerability affects both Cisco Unified CM and Unified CM SME products, which are used by large enterprises to manage their communication infrastructure.

The flaw is caused by improper input validation for specific HTTP requests, allowing an attacker to exploit the vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate privileges to root.

Why it Matters

The exploitation of this vulnerability has significant implications for adult-industry platforms and operators, particularly those who rely on Cisco's Unified CM product for their communication infrastructure. The flaw can be exploited remotely if the targeted system is running a vulnerable software release and has the WebDialer service enabled.

While the risk depends on configuration, the vulnerability can only be exploited if the WebDialer service is enabled, which is disabled by default on affected systems. However, the fact that attackers are already exploiting this flaw highlights the importance of promptly applying patches and ensuring that all services are properly configured to prevent exploitation.

What Comes Next

Cisco has yet to confirm exploitation in its advisory, but it strongly urges customers to upgrade to available fixed software releases that address this vulnerability. Administrators can mitigate risk by disabling the WebDialer service until a patch is applied, which can be done through the Unified CM Administration interface.

Key Facts

  • The vulnerability affects Cisco Unified CM and Unified CM SME products.
  • The flaw allows an unauthenticated remote attacker to conduct SSRF attacks and write arbitrary files to the underlying operating system.
  • The risk depends on configuration, but exploitation can only occur if the WebDialer service is enabled.
  • Cisco released patches for the issue on June 3, but attackers have already begun exploiting the flaw.
  • Defused reported observing exploitation of the flaw over the weekend, noting that this was the first recorded exploitation and not yet listed in CISA's KEV catalog.

Cisco's Unified CM product is widely used by large enterprises to manage their communication infrastructure. The exploitation of this vulnerability highlights the importance of promptly applying patches and ensuring that all services are properly configured to prevent exploitation. Adult-industry platforms and operators should take immediate action to mitigate risk and ensure the security of their communication infrastructure.