What happened
A high-severity vulnerability in Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition is now being exploited in attacks.
The flaw, tracked as CVE-2026-20230, is a server-side request forgery vulnerability that allows an unauthenticated remote attacker to send crafted HTTP requests to affected devices.
Cisco released security updates for the vulnerability on June 3. The company warned that successful exploitation could allow attackers to write files to the underlying operating system and later use those files to elevate privileges to root.
Threat intelligence firm Defused reported that exploitation was observed over the weekend. The activity appears to have originated from a single IP address and used properly constructed file-based payloads to create files on vulnerable devices.
The currently observed exploitation appears to be reconnaissance in nature. Defused said the proof-of-concept activity attempted to write a test file to vulnerable devices rather than immediately deploying webshells or taking full control.
Who is affected
Organizations using affected Cisco Unified Communications Manager or Cisco Unified Communications Manager Session Management Edition deployments are affected.
The risk is highest for organizations with exposed or reachable Cisco Unified CM systems that have not yet applied Cisco’s June 3 security updates.
Because the flaw can allow unauthenticated remote attackers to write files to the underlying operating system and potentially gain root privileges, affected systems should be treated as high-priority voice and communications infrastructure assets.
Why CISOs should care
Cisco Unified CM is a core communications platform in many enterprise environments. A vulnerability that can be exploited remotely and unauthenticated to write files to the operating system creates serious risk, especially if attackers can use that access to deploy webshells or gain root privileges.
The currently observed exploitation may be reconnaissance-focused, but public technical details and proof-of-concept code increase the likelihood that additional threat actors will begin targeting exposed systems.
For CISOs, this incident also reinforces that unified communications systems should be part of vulnerability management and incident response planning. These platforms often sit outside the most visible application stack, but compromise can affect enterprise communications, authentication paths, internal routing, and administrative access.
3 practical actions
- Apply Cisco’s security updates immediately: Cisco released fixes for CVE-2026-20230 on June 3. Organizations should prioritize patching affected Unified CM and Unified CM SME deployments because exploitation is now being observed.
- Review logs for suspicious WebDialer and file-write activity: Defused observed exploitation attempts using crafted payloads to create files on affected devices. Security teams should examine Unified CM logs, web access logs, and operating system artifacts for suspicious requests, unexpected files, or signs of attacker-controlled file creation.
- Restrict access to Unified CM management and exposed services: The vulnerability can be exploited remotely through affected devices. CISOs should limit network access to Unified CM interfaces, place management services behind trusted access controls, and monitor exposed communications infrastructure for unusual activity.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.