A high-severity SSRF vulnerability, tracked as CVE-2026-20230, in Cisco Unified Communications Supervisor Server is now being exploited in assaults.
Cisco launched safety updates for the CVE-2026-20230 flaw on June 3, warning that exploitation may give attackers root privileges on the system.
“A vulnerability in Cisco Unified Communications Supervisor (Unified CM) and Cisco Unified Communications Supervisor Session Administration Version (Unified CM SME) may enable an unauthenticated, distant attacker to conduct server-side request forgery (SSRF) assaults by an affected system,” warned Cisco.
“This vulnerability is because of improper enter validation for particular HTTP requests. An attacker may exploit this vulnerability by sending a crafted HTTP request to an affected system. A profitable exploit may enable the attacker to put in writing recordsdata to the underlying working system that might be used later to raise to root.”
The flaw was disclosed to Cisco by SSD Safe, who didn’t share any technical particulars on the time.
Immediately, menace intelligence agency Defused warned that the flaw is now being actively exploited in assaults.
“Over the weekend we noticed exploitation of CVE-2026-20230 – Cisco Unified CM (CUCM) WebDialer SSRF → root file-write (CVSS 8.6) No beforehand recorded exploitation, and never but listed in CISA KEV,” Defused warned on X.
Defused says the assaults are originating from a single IP deal with and use correctly constructed file:// payloads to create recordsdata on the system.
Supply: Defused
Whereas the flaw could be exploited in assaults to drop webshells and acquire root privileges, the PoC noticed by Defused seems designed to determine weak gadgets by making an attempt to put in writing a textual content file named ‘/tmp/cve-2026-20230-test.txt’ to them.
After the exploitation was disclosed, SSD Safe revealed a technical write-up of the flaw explaining how the vulnerability works and sharing a proof-of-concept exploit.
The researchers discovered that an unauthenticated attacker may abuse the Webdialer element’s dealing with of user-supplied URLs to pressure the applying to put in writing arbitrary recordsdata to the working system utilizing file:// URIs.
By controlling the file path and the content material written to disk, an attacker may exploit the bug to realize distant code execution and in the end acquire root privileges on weak gadgets.
SSD Safe famous that exploitation requires the attacker to first receive the goal system’s hostname earlier than finishing up the file-write assault. Nonetheless, the researchers demonstrated how that data could be retrieved from the system earlier than exploitation.
Whereas the present exploitation seems to be reconnaissance in nature, now that the flaw has been totally disclosed, we are going to possible see extra menace actors goal these servers.
BleepingComputer contacted Cisco to ask in the event that they, too, are seeing the flaw exploited in assaults and if any IOCs could be shared with defenders, and can replace the article if we obtain a response.
Safety groups log 54% of profitable assaults and alert on simply 14%. The remaining transfer by your atmosphere unseen.
The Picus whitepaper reveals how breach and assault simulation checks your SIEM and EDR guidelines so threats cease slipping by detection.
