Overview
- Cisco released patches for CVE-2026-20230 on June 3 after the company warned the SSRF flaw can let an attacker write files to the operating system and gain root privileges.
- Threat intel firm Defused said it observed active exploitation over the weekend originating from a single IP that used file:// payloads to drop a test file named /tmp/cve-2026-20230-test.txt on decoys.
- Researcher group SSD Secure published a technical write-up and proof‑of‑concept showing how the WebDialer component can be abused to obtain a hostname, force file writes and achieve remote code execution.
- Successful attacks require the Cisco WebDialer service to be enabled, which is off by default, so administrators should apply the 14SU6/15SU5 fixes or disable WebDialer and check for the reported file-write indicator.
- Because Unified CM runs core enterprise voice and session services, a full compromise could let attackers control communications and disrupt operations, so teams should monitor logs, hunt for indicators and perform forensic reviews.