In Less Than 24 Hours, Attackers Weaponize Cisco CUCM Flaw

CYBERATTACKS & DATA BREACHES CYBER RISK VULNERABILITIES & THREATS THREAT INTELLIGENCE NEWS In Less Than 24 Hours, Attackers Weaponize Cisco CUCM Flaw The flaw enables server-side request forgery (SSRF) and escalates privileges to root, impacting Cisco Unified CM and Unified CM SME deployments. Jai Vijayan,Contributing Writer June 25, 2026 3 Min Read SOURCE: SERGIY PALAMARCHUK Attackers have begun actively exploiting a critical flaw in Cisco Unified Communications Manager (CUCM) to gain root access on vulnerable systems. The attacks appear to have begun less than 24 hours after researchers at SSD Secure Disclosure this week released proof-of-concept code (PoC) along with a full exploit chain for the vulnerability.  SSRF to Root The vulnerability, tracked as CVE-2026-20230, is an input validation flaw that allows an unauthenticated remote attacker to perform server-side request forgery (SSRF) against affected devices and escalate privileges to root. It impacts Cisco Unified CM and Unified CM SME deployments where the WebDialer service is enabled, allowing users to place calls directly from a Web browser. The service is disabled by default. Cisco released fixed versions of the affected software June 3 and urged organizations to treat CVE-2026-20230 as a critical vulnerability rather than as a high-severity flaw, as its CVSS score of 8.6 might otherwise suggest.  Related:EdTech Attackers Shift From Schools to Their Software Suppliers CUCM is a central communications management platform that allows organizations to manage a complete range of voice, video, and messaging services. Cisco claims some 30 million users use the platform globally. CVE-2026-20230 is an SSRF vulnerability, a collection of flaws that give attackers a way to trick a server into sending HTTP requests to arbitrary internal or external resources. On communications platforms like CUCM, such bugs can be especially dangerous because they can provide a path to management and provisioning services, application server components, and other trusted internal services. Working Blueprint for Attacks SSD Secure Disclosure's PoC and exploit chain showed how an unauthenticated remote attacker could gain full control of affected CUCM platforms. The attack chain begins with a specially crafted HTTP request to the WebDialer service, which causes CUCM to interact with internal services not normally exposed externally, including an Apache Axis SOAP service. The attacker then writes a malicious JSP file into a publicly accessible CUCM Tomcat Web directory using a malicious Axis service definition. That JSP is used to drop a second JSP Web shell in the same location, which the attacker can use for remote code execution and eventual privilege escalation to root. In a report this week, researchers at Defused said they observed attacks targeting CVE-2026-20230 hitting their decoy CUCM systems barely 24 hours after the PoC and exploit chain became available. A few days prior, Defused observed someone scanning for and tagging vulnerable CUCM systems. On June 24, the activity morphed into full-scale attacks that unfolded in a manner very similar to SSD Secure Disclosure's PoC and exploit chain. "A public PoC for CVE-2026-20230 was weaponized inside 24 hours," Defused said. "The observed chain abuses the WebDialer SSRF to deploy a rogue Apache Axis service, uses that service to write a first-stage JSP file-writer, then drops a second-stage command-execution shell," protected by a password lifted straight from the PoC, Defused noted. Related:Attackers Hit Cisco SD-WAN Flaw 2 Months Before Disclosure Assume Compromise? Organizations using CUCM with WebDialer enabled and haven't patched CVE-2026-20230 should assume they have been scanned, the company noted. Horizon3.ai released what it's calling a rapid response test that organizations can use to verify if the vulnerability is exploitable in their specific environments. "The test executes real attack techniques without causing damage, giving teams immediate clarity on exposure," Horizon3.ai said. In posts on X, the security vendor urged affected organizations to implement Cisco's mitigations for the vulnerability immediately or to disable WebDialer if not needed. "Unified CM powers communications infrastructure across healthcare, finance, government, and enterprise environments," Horizon3.ai observed. Related:Scope of Salesforce Attacks Expands as Icarus Leaks Data For organizations with large Cisco footprints, the CUCM exploit activity is the second urgent patching issue they have had to address this week, following reports of attacks targeting a separate vulnerability in Cisco Catalyst SD-WAN deployments. Don't miss the latest Dark Reading Confidential podcast, Do CISOs Need a Code of Ethics?. Kickbacks, no-show jobs, "dirty" VCs, and shelfware — industry expert Robert "RSnake" Hansen explains why he thinks it's time for a CISO code of ethics. It could ensure cybersecurity bosses aren't engaged in self-dealing that could risk enterprise, and even national, security. Listen now! About the Author Jai Vijayan Contributing Writer Illinois-based Jai Vijayan is a veteran, award-winning technology journalist with more than 25 years of experience covering cybersecurity. His information security reporting has explored everything from ransomware, nation-state threats, and identity security to AI risk, critical infrastructure protection, software supply chain security, cloud security and emerging enterprise technologies.  Over the course of his career, Jai has written news stories, feature articles, survey reports, white papers, and e-books for enterprise and technology audiences. He has also moderated panel discussions and executive roundtables featuring CISOs, security researchers, and industry leaders.  Jai previously served as senior editor at Computerworld, where he covered information security and data-privacy issues. His work has also appeared in CSO Online, InformationWeek, The Christian Science Monitor Passcode, The Economic Times, and other publications. His work has earned multiple industry honors, including a Joint ASBPE Excellence Award for Best Coverage of Government IT, and a Joint Jesse H. Neal Award for wireless LAN security coverage. Jai holds a Master’s degree in statistics from Bangalore University, and studied broadcasting and electronic communication at Marquette University in Milwaukee.   Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports The total economic impact™ of Snyk How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 Access More Research Webinars Building a Risk Based Vulnerability Management Program Threat Hunting That Gets Big Results Despite Small Budgets Say Yes to AI: Securing Innovation Without Compromise Zero Trust Identity: Beyond Traditional Authentication Advanced Persistent Threats: A Practical Guide to Detection and Response More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks by Rob Wright DEC 04, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 Editor's Choice CYBERSECURITY OPERATIONS Do CISOs Need a Code of Ethics? byDark Reading Editorial Team JUN 24, 2026 CYBERSECURITY OPERATIONS 2026 FIFA World Cup Faces Surge in Cyber Threats byAlexander Culafi JUN 24, 2026 3 MIN READ CYBERSECURITY OPERATIONS EU Gets a Head Start in Developing 6G Network Security byNate Nelson JUN 18, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS