A high-severity SSRF vulnerability, tracked as CVE-2026-20230, in Cisco Unified Communications Manager Server is now being exploited in attacks.

Cisco released security updates for the CVE-2026-20230 flaw on June 3, warning that exploitation could give attackers root privileges on the device.

“A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device,” warned Cisco.

“This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root.”

The flaw was disclosed to Cisco by SSD Secure, who did not share any technical details at the time.

Today, threat intelligence firm Defused warned that the flaw is now being actively exploited in attacks.

“Over the weekend we observed exploitation of CVE-2026-20230 – Cisco Unified CM (CUCM) WebDialer SSRF → root file-write (CVSS 8.6) No previously recorded exploitation, and not yet listed in CISA KEV,” Defused warned on X.

Defused says the attacks are originating from a single IP address and use properly constructed file:// payloads to create files on the device.

While the flaw can be exploited in attacks to drop webshells and gain root privileges, the PoC observed by Defused appears designed to identify vulnerable devices by attempting to write a text file named ‘/tmp/cve-2026-20230-test.txt’ to them.

After the exploitation was disclosed, SSD Secure published a technical write-up of the flaw explaining how the vulnerability works and sharing a proof-of-concept exploit.

The researchers found that an unauthenticated attacker could abuse the Webdialer component’s handling of user-supplied URLs to force the application to write arbitrary files to the operating system using file:// URIs.

By controlling the file path and the content written to disk, an attacker could exploit the bug to achieve remote code execution and ultimately gain root privileges on vulnerable devices.

SSD Secure noted that exploitation requires the attacker to first obtain the target system’s hostname before carrying out the file-write attack. However, the researchers demonstrated how that information can be retrieved from the device before exploitation.

While the current exploitation appears to be reconnaissance in nature, now that the flaw has been fully disclosed, we will likely see more threat actors target these servers.

BleepingComputer contacted Cisco to ask if they, too, are seeing the flaw exploited in attacks and if any IOCs can be shared with defenders, and will update the article if we receive a response.