Do Son 
- CVE: CVE-2026-20230
- CVSS: 8.6 (High · CVSSv3)
- Product: Cisco Unified Communications Manager
- Affected: N/A
- Impact: A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified...
- Status: Exploited in the wild
- EPSS: 41.7% (30-day)
- Action: See vendor advisory
TL;DR
Attackers are exploiting a Cisco Unified CM RCE flaw in live attacks. Tracked as CVE-2026-20230, it carries a CVSS score of 8.6. Researchers have now published full technical details and proof-of-concept exploit code.
Why this Cisco Unified CM RCE matters
Unified CM powers enterprise voice and video systems worldwide. A successful attack gives an intruder root access. Cisco rates the real-world impact as Critical, higher than the base score suggests. The platform also holds call routing tables and user directories. Therefore, one compromised server can expose a network’s core.
Exploited in the wild
Exploitation began over the weekend of June 21-22, 2026. Threat intelligence firm Defused first caught the attacks on its honeypots. Early activity looked like reconnaissance, writing a harmless test file. By June 24, researchers reported automated, Tor-routed webshell drops. CISA then added the flaw to its Known Exploited Vulnerabilities catalog on June 25. Notably, Cisco’s own advisory had not yet confirmed in-the-wild abuse at that point.
Public proof-of-concept
SSD Secure Disclosure, which reported the bug, published a full technical write-up. The report documents the complete SSRF-to-RCE chain with working code. As a result, the barrier to attack has fallen sharply. More threat actors will likely target exposed servers now.
How the attack works
The flaw stems from improper input validation in the WebDialer service. An unauthenticated attacker sends a crafted HTTP request. That request triggers server-side request forgery on the device. The attacker then writes arbitrary files to the operating system. Next, they plant a webshell and run commands as root. WebDialer must be enabled, though it ships disabled by default.
Affected versions
The bug hits Unified CM and Unified CM SME across two release trains. Release 14 before 14SU6 stays vulnerable. Release 15 before 15SU5 also stays at risk. The disclosure names build 15.0.1.13901-2 as affected.
Patch and mitigation
Cisco patched the flaw on June 3, 2026. Admins should upgrade to 14SU6 now. An interim COP patch covers release 15 until 15SU5 ships in September. Where patching lags, disable WebDialer to cut exposure. Review Cisco’s security advisory for fixed builds. One warning stands out. Patching does not remove a webshell that attackers already dropped. Therefore, hunt every exposed server for signs of compromise.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
