CVE-2026-20230: Cisco CUCM SSRF Flaw Exploited in the Wild

Published Date: June 26, 2026
Category: ShadowOpsIntel
Share:

Attackers are actively exploiting CVE-2026-20230, a server-side request forgery flaw in Cisco Unified Communications Manager (CUCM), to plant webshells and gain full remote control of affected systems. A fully automated exploit swept through exposed CUCM appliances within 24 hours of the public proof-of-concept being released, using Tor to conceal its origin. Organisations running Cisco Unified CM or Unified CM SME with WebDialer enabled should patch immediately and check for signs of compromise.

Severity: Critical

Vulnerability Details

  • CVE ID: CVE-2026-20230
  • Affected Product: Cisco Unified Communications Manager (CUCM)
  • Vulnerability Type: Server-Side Request Forgery (SSRF) → Remote Code Execution
  • CVSS Score: 8.6 (High)
  • EPSS Score: 20.44%
  • Authentication Required: No (Unauthenticated RCE)

Affected Products & Fixed Versions

  • This vulnerability affects Cisco Unified CM and Unified CM SME if they have the WebDialer service enabled.
  • Fixed in versions 14SU6 or 15SU5.

Note: Patches are version specific. Consult the README attached to the patch for details.

Kill Chain Breakdown (5 Stages)

Stage 1: Reconnaissance

GET /webdialer/Version.jws?wsdl

  • Purpose: Exfiltrate the appliance’s true short hostname
  • Why: Required to satisfy SSRF host-header validation downstream
  • Tradecraft Gap: Observed operator skipped this step (used literal html as hostname segment instead of true hostname vm01)

Stage 2: SSRF → Rogue Apache Axis Service Deployment

GET /cmplatform/installClusterStatusExecute?action=clusterNodeInstallStatus&hostname=<PAYLOAD>

  • Payload Structure: Crafted path through WebDialer/Axis stack terminating at installstages
  • Escape Mechanism: !– HTML comment injection breaks out of normal endpoint response
  • Malicious Object: Axis wsdd deployment descriptor registering attacker-controlled SOAP service
  • Critical Feature: LogHandler.fileName traversal (12× ../ path traversal) writes into web-accessible axis2-web directory
  • Historical Precedent: Lineage to CVE-2019-0227 (Apache Axis 1.4 admin panel RCE)

Stage 3: Service Abuse → Stage-1 Webshell Write

  • Function: Invokes freshly-deployed malicious SOAP service
  • Output: LogHandler writes minimal JSP file-writer to disk
  • File-Writer Parameters:
    • o f = target file path
    • o t = file content to write

Stage 4: Dropper → Stage-2 Webshell Deployment

GET /platform-services/axis2-web/<STAGE2>.jsp?f=<PATH>&t=<PAYLOAD>

  • Purpose: Uses Stage-1 writer to deploy the actual persistent webshell
  • Location: axis2-web/ directory (web-accessible, post-traversal)
  • Sophistication: Two-stage approach avoids single large payload in initial SSRF

Stage 5: RCE Validation

GET /platform-services/axis2-web/<STAGE2>.jsp?pwd=123&i=id

  • Auth Gate: pwd=123 hardcoded password check
  • Test Command: id execution to validate shell functionality
  • Observation: Operator stops after validation; no lateral movement observed

Recommendations

  1. Apply Cisco’s patch for CVE-2026-20230 (cisco-sa-cucm-ssrf-cXPnHcW), fixed in releases 14SU6 and 15SU5 due September 2026, or via COP file; consult the README for version-specific instructions.
  2. Workaround: Check whether WebDialer is enabled on all Cisco Unified CM and Unified CM SME nodes; if not in use, disable it via Cisco Unified Serviceability to remove the attack surface.
  3. Audit /platform-services/axis2-web/ on all CUCM nodes for unexpected .jsp files and remove any found; these are the webshell drop locations confirmed in observed attacks.
  4. Search web and application logs for requests to /cmplatform/installClusterStatusExecute containing path traversal sequences (../) in the hostname parameter as a primary indicator of exploitation.
  5. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/10e1180b757b4c71edecb209292a556f5ac6e2e9b25b452f606fa970f44d75d9/iocs

Source:

  • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssrf-cXPnHcW
  • https://defusedcyber.com/cucm-cve-2026-20230-fullchain-sweep
  • https://x.com/DefusedCyber/status/2069074520057557244

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

×

7th August 2026

New Delhi, India

Know more
Talk to an expert