A recently patched vulnerability affecting Cisco’s Unified Communications Manager (Unified CM) product is being exploited in attacks, according to exploit intelligence firm Defused.
Cisco announced patches for the vulnerability, tracked as CVE-2026-20230, on June 3. The company said the critical security hole can be exploited by an unauthenticated, remote attacker to conduct SSRF attacks, write arbitrary files to the underlying operating system, and escalate privileges to root. Exploitation requires enabling the WebDialer service, which is disabled by default.
When it announced fixes, Cisco noted that a PoC exploit had been available, but said it was not aware of any in-the-wild exploitation.
Defused said it saw evidence of exploitation over the weekend, noting, “This is currently being exploited from a single source using an unvetted PoC, with genuinely-formatted file:// file-write payloads landing on our decoys.”
Defused recently also reported seeing the exploitation of three Fortinet product vulnerabilities.
Shortly after the security firm announced seeing attacks exploiting CVE-2026-20230, SSD Secure Disclosure, which Cisco credited with reporting the vulnerability, published technical details and PoC code showing how the flaw can be leveraged by an unauthenticated attacker for remote code execution.
Cisco has yet to confirm exploitation in its advisory. SecurityWeek has reached out to the tech giant to find out whether it’s aware of the attacks exploiting CVE-2026-20230.
Unified CM is Cisco’s flagship on-premises call control and session management platform. It serves as the core infrastructure for enterprise voice, video, and unified communications. Given that the product is used by large enterprises, CVE-2026-20230 can be highly valuable to both profit-driven cybercriminals and state-sponsored threat actors.
CVE-2026-20230 has yet to be added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, and there do not appear to be other reports of exploitation.
This is the second Cisco Unified CM vulnerability exploited in 2026. The first was CVE-2026-20045, which threat actors targeted as a zero-day.
Cisco’s SD-WAN products have been the most targeted this year, with eight vulnerabilities exploited to date.
Related: Critical Command Execution Vulnerability Patched in Cisco ISE
Related: Splunk Enterprise Vulnerability Exploited in Attacks Days After Disclosure
Related: Joomla, LiteSpeed Vulnerabilities Exploited in Attacks
