Cisco Unified CM Vulnerability CVE-2026-20230 Actively Exploited to Drop Webshells

Attackers are actively exploiting a critical Server-Side Request Forgery vulnerability in Cisco Unified Communications Manager (Unified CM), deploying persistent webshells on enterprise telephony infrastructure more than three weeks after patches were made available. Threat intelligence firm Defused confirmed active exploitation on June 23, 2026, observing "automated sweeps dropping webshells, all via Tor" across its honeypot network.

The vulnerability, tracked as CVE-2026-20230, was disclosed by Cisco on June 3 alongside security updates. Cisco initially rated it CVSS 8.6 (High), but has since upgraded its internal Security Impact Rating to Critical after determining the flaw can be chained to achieve root-level privilege escalation on affected systems.

How the Attack Chain Works

The vulnerability resides in the WebDialer component's improper validation of HTTP requests. Attackers exploit the component's handling of file:// URIs to write arbitrary files to the underlying operating system — files that are then used to escalate to root.

Observed attack chains follow a two-stage pattern. First, attackers abuse the WebDialer SSRF to deploy a rogue Apache Axis service. That service is then used to write a first-stage JSP file-writer, which drops a second-stage command-execution shell under /platform-services/axis2-web/. Reconnaissance-phase activity writes a test file at '/tmp/cve-2026-20230-test.txt' to identify vulnerable targets before full exploitation begins.

Scope and Affected Versions

Cisco Unified Communications Manager is one of the most widely deployed enterprise call management platforms globally — used by hospitals, financial institutions, government agencies, and large corporations. The Session Management Edition (SME) variant is also affected.

Exploitation requires the WebDialer service to be enabled. While WebDialer is disabled by default, many enterprise deployments enable it for click-to-call and directory integration features, making real-world exposure significant.

What to Do Now

Organizations should apply Cisco's June 2026 security updates immediately. Where WebDialer is not operationally required, disabling the service eliminates the attack surface entirely. Any deployment that cannot be patched immediately should be isolated from untrusted networks and monitored for file writes to /platform-services/ and /tmp/, as reported by BleepingComputer.