Attackers are actively exploiting a critical Cisco Unified CM SSRF vulnerability, tracked as CVE-2026-20230, to plant persistent webshells on exposed servers. Tor-anonymised sweeps began around June 22-23, 2026. That was roughly two days after public proof-of-concept code circulated, and three weeks after Cisco shipped the patch on June 3.
The Cisco Unified CM SSRF Vulnerability
CVE-2026-20230 is an improper input validation flaw in the WebDialer component of Cisco Unified CM and Unified CM Session Management Edition (SME). This bug lets an unauthenticated attacker send a crafted HTTP request to the server. The server then makes internal requests and writes arbitrary files to the underlying OS via file:// URIs.
Cisco rated the CVSS base score at 8.6 but classified overall severity as Critical. No authentication is required to trigger the Cisco Unified CM SSRF condition. A file write to the OS quickly becomes full root-level compromise, as the chained exploitation sequence shows.
WebDialer is disabled by default, which limits exposure. Many enterprise Unified CM deployments do enable it, though, and those are the systems now being swept.
From SSRF to Persistent Webshell: The Full Attack Chain
The server-side request forgery is only the entry point. SSD Secure Disclosure published a full technical write-up on June 24, 2026, documenting the three-stage chain attackers are running.
First, the attacker abuses WebDialer’s SSRF to install a rogue Apache Axis service on the target. Then they use that service to write a JSP file-writer to disk. Finally, they drop a command-execution webshell into the /platform-services/axis2-web/ directory.
At that point the attacker has persistent remote code execution over HTTP. Cisco Unified CM commonly runs as a virtual machine on Cisco UCS hardware with VMware ESXi. Privilege escalation from that foothold follows, and Cisco’s advisory confirms the path ends at root-level compromise.
What the Honeypots Captured
Threat intelligence firm Defused Cyber spotted the first exploitation attempts on their honeypots around June 22-23, 2026. Initial activity looked like fingerprinting. An early PoC wrote a test file, /tmp/cve-2026-20230-test.txt, to confirm the target was writable.
That recon phase escalated quickly. Defused reported “automated sweeps dropping webshells, all via Tor.” The campaign routed traffic through the anonymising network to mask its origin. Scale and automation point to opportunistic mass scanning rather than targeted intrusions.
BleepingComputer confirmed that as of June 24, Cisco had not formally updated its advisory to acknowledge the active exploitation. The CVE was also absent from CISA’s Known Exploited Vulnerabilities catalogue at time of writing.
Affected Versions and Patches
Both Cisco Unified CM and Unified CM SME are affected across two release trains:
- Release 14: all versions prior to 14SU6. Fixed in 14SU6, available since June 3, 2026.
- Release 15: all versions prior to 15SU5. The full fix, 15SU5, is due September 2026. Cisco has released an interim COP patch for immediate deployment.
The Cisco Security Advisory reference is cisco-sa-cucm-ssrf-cXPnHcW, published June 3, 2026.
Why Attackers Target Enterprise Communications Platforms
Cisco Unified CM sits at the core of enterprise voice infrastructure. It holds user directories, call routing tables, and voicemail data, and often connects to HR and directory services. A webshell on a UCM host gives a foothold well inside the network, not just on the perimeter. That also means logs and alerts for this kind of intrusion are often reviewed less frequently than those on perimeter systems.
The Cisco Unified CM SSRF flaw is especially useful to threat actors because the system runs with elevated privileges. Many UCM deployments are reachable from internal network segments. A compromise here is harder to detect than a typical web server breach.
What to Do Right Now
Start by checking WebDialer’s status. In Cisco Unified CM Administration, go to Cisco Unified Serviceability, then Control Center under Feature Services. If WebDialer is running and is not operationally needed, disable it. That removes the attack vector without a patch cycle.
If WebDialer must stay on, apply the patch. Release 14 deployments should upgrade to 14SU6. For release 15, deploy the interim COP patch while waiting for 15SU5 in September.
Also run a compromise check on any system where WebDialer was enabled and unpatched. Look for unexpected .jsp files in /platform-services/axis2-web/. Check for unfamiliar Apache Axis service entries. Look for new files in /tmp/ and odd outbound connections. Automated sweeps ran for at least two days. Any exposed, unpatched instance should be treated as compromised until forensic review says otherwise.
