A recently patched vulnerability affecting Cisco’s Unified Communications Manager (Unified CM) product is being exploited in attacks, according to exploit intelligence firm Defused.
Cisco announced patches for the vulnerability, tracked as CVE-2026-20230, on June 3. The company said the critical security hole can be exploited by an unauthenticated, remote attacker to conduct SSRF attacks, write arbitrary files to the underlying operating system, and escalate privileges to root. Exploitation requires enabling the WebDialer service, which is disabled by default.
When it announced fixes, Cisco noted that a PoC exploit had been available, but said it was not aware of any in-the-wild exploitation.
Defused said it saw evidence of exploitation over the weekend, noting, “This is currently being exploited from a single source using an unvetted PoC, with genuinely-formatted file:// file-write payloads landing on our decoys.”
Defused recently also reported seeing the exploitation of three Fortinet product vulnerabilities.
