← Back to blog
Threat Research

A phone system, one request, and root

An unauthenticated SSRF in Cisco Unified CM’s WebDialer chains to a JSP webshell and root-level compromise of enterprise voice infrastructure. Cisco patched it on June 3; within weeks attackers were dropping webshells over Tor, and CISA gave federal agencies until June 28 to fix it.

·8 min read·Trident Research

On June 3, 2026, Cisco patched a server-side request forgery bug in Unified Communications Manager, its enterprise phone system. The CVSS base score was 8.6, which sits in the High band. Cisco rated it Critical anyway.

That gap is the point. The CVSS vector is integrity-only, so on paper the bug just lets an attacker write a file. That file write is the first link in a chain that ends with a webshell and root access on a server sitting in the middle of the corporate network. Cisco said as much in the advisory.

Within three weeks the chain was public, and then it was automated. By late June, attackers were sweeping the internet over Tor and dropping webshells, and CISA had given federal agencies until June 28 to patch. The important part: the webshell they drop survives the patch. Fixing the SSRF closes the door, but it does nothing about anyone already inside.

Six-stage flow diagram of CVE-2026-20230: unauthenticated request, hostname discovery via the WebDialer WSDL endpoint, SSRF and host-check bypass at the cmplatform cluster-install servlet, Apache Axis WSDD injection for an arbitrary file write, a JSP webshell dropped under platform-services axis2-web, and root-level compromise
CVE-2026-20230 end to end: one unauthenticated request, a leaked hostname, an SSRF that defeats host validation, an Apache Axis file write, a JSP webshell, and escalation to root.

TL;DR

  • CVE-2026-20230 is an unauthenticated SSRF (CWE-918) in Cisco Unified CM and Unified CM SME, in the WebDialer service. Cisco advisory cisco-sa-cucm-ssrf-cXPnHcW, bug ID CSCws67331.
  • The CVSS base score is 8.6 and the vector is integrity-only, but Cisco set the Security Impact Rating to Critical because the file write can be escalated to root.
  • It only applies when the WebDialer service is enabled. WebDialer is off by default, but it is commonly turned on for click-to-dial, so do not assume you are safe.
  • Researchers chained the SSRF into a persistent JSP webshell under /platform-services/axis2-web/. The patch alone does not remove it.
  • It is actively exploited and on CISA's KEV list (added June 25, federal deadline June 28). Patch to 14SU6 or 15SU5 (or the interim COP), then hunt for a foothold. There is no real workaround; disabling WebDialer is only a mitigation.

How the chain works

Unified CM exposes a web service called WebDialer, the component behind the click-to-dial buttons in softphones. The vulnerable code does not properly validate certain HTTP requests, and an unauthenticated attacker can use that to make the server write files to its own disk. Cisco's advisory states the impact directly:

"The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root."Cisco advisory cisco-sa-cucm-ssrf-cXPnHcW

There is one precondition. The server checks the incoming request against a list of trusted hostnames, so an attacker cannot simply point it at localhost. The SSD Secure Disclosure write-up shows that validation logic, and it shows the way around it: the attacker first asks WebDialer for the server's real hostname through an unauthenticated WSDL endpoint, /webdialer/Version.jws?wsdl, then replays that hostname to pass the check.

Decompiled Java method hostHeaderValidation from Cisco Unified CM's InjectionFilter class, reading the Host header and comparing it against a populated trusted-host list
Source: SSD Secure Disclosure
The host-header validation inside Unified CM, decompiled. It compares the request against a trusted-host list, which is why the attack needs the server's true hostname before it can do anything else.

From there it is mechanical. The discovered hostname gets the request to an internal cluster-install servlet, /cmplatform/installClusterStatusExecute, whose hostname parameter is not properly checked either. That parameter is used to inject a malicious Apache Axis service descriptor (a WSDD) into the Axis framework already running on the box, a technique in the same family as the older Apache Axis bug CVE-2019-0227. The injected handler gives the attacker an arbitrary file write. You will also see this called a file:// SSRF, which is the shape the in-the-wild recon probes took. The primitive in the disclosed PoC is the Axis descriptor injection, not a file:// fetch.

With a file write in hand, the attacker stages the payload. They write a first-stage JSP file-writer under /platform-services/axis2-web/, then use it to drop a second-stage JSP command shell in the same directory. That shell runs in the Unified CM Tomcat web context and gives persistent command execution over HTTP, and the underlying OS file write is what Cisco says can then be turned into root.

Why patching is not enough

The SSRF is the way in, but the webshell is what stays. It is an ordinary file on disk in a web-served directory, so patching the SSRF does not remove it. Closing CVE-2026-20230 stops new break-ins. It does nothing about a shell that is already there.

Why it matters

Unified CM is not a peripheral box. It is the core of enterprise voice: user directories, call-routing tables, voicemail, and it usually integrates with HR and directory systems. A webshell there is a foothold well inside the network, on a host whose logs tend to get reviewed far less often than anything on the perimeter.

Root on that host opens a wide blast radius. From it an attacker can harvest credentials, alter directory integrations, intercept or record calls, disrupt emergency calling, and pivot into whatever the server can reach. Unified CM commonly runs as a VM on Cisco UCS hardware under VMware ESXi, so the surrounding virtualization and management network is in scope too.

Exploited in the wild

Cisco said it was not aware of any malicious use when it shipped the fix on June 3. That did not last. Proof-of-concept code was circulating within days, and over the weekend of June 21 the threat-intelligence firm Defused caught the first hits on its honeypots: a single source fingerprinting Cisco Unified CM decoys with a PoC that wrote a harmless marker file to /tmp to check whether the target was writable.

Honeypot capture of a CVE-2026-20230 reconnaissance request labeled WEBDIALER SERVLET RECON against a Cisco Unified Communications Manager decoy, with a User-Agent of CVE-2026-20230-PoC and a body that writes a marker file to /tmp
Source: Defused, via BleepingComputer
A honeypot capture of an early probe. The User-Agent literally reads CVE-2026-20230-PoC, and the request writes the recon marker file to /tmp to test whether the host is writable.

By June 24 the activity had turned into automated, Tor-routed sweeps that dropped webshells instead of test files, and Horizon3.ai had shipped a NodeZero test so defenders could safely check exploitability. On June 25, CISA added CVE-2026-20230 to its Known Exploited Vulnerabilities catalog and set a federal remediation deadline of June 28 under BOD 26-04.

  • Jun 3, 2026Cisco publishes advisory cisco-sa-cucm-ssrf-cXPnHcW and ships fixes (14SU6 / 15SU5), stating it is not aware of any malicious use.
  • Jun 5, 2026Public reporting flags the availability of proof-of-concept exploit code.
  • Jun 21, 2026Defused observes the first in-the-wild activity on its honeypots: reconnaissance from a single source, writing a marker file to /tmp.
  • Jun 24, 2026SSD Secure Disclosure publishes the full technical write-up; activity escalates to automated, Tor-routed sweeps dropping webshells.
  • Jun 25, 2026CISA adds CVE-2026-20230 to the KEV catalog with a June 28 federal remediation deadline under BOD 26-04.

No threat actor has been named, and no confirmed organizational breach has been reported yet. The observed traffic looks like opportunistic mass scanning rather than a targeted campaign. Given the persistence, assume any exposed, unpatched instance already has a shell on it.

Detection and IOCs

Start by finding out whether you are exposed at all. In Cisco Unified CM Administration, switch to Cisco Unified Serviceability, then open Tools and Control Center - Feature Services, and look under the CTI Services section for Cisco WebDialer Web Service. If it shows Started, the service is enabled and reachable.

Then hunt for a foothold. The early recon left a marker file, and the live attacks leave JSP files in the Axis web directory:

indicators to hunt on a unified cm host
# recon marker dropped by the early proof-of-concept
/tmp/cve-2026-20230-test.txt

# webshell drop directory (review it; attacker filenames vary)
/platform-services/axis2-web/*.jsp

# request patterns worth alerting on in access logs
/webdialer/Version.jws?wsdl                 # hostname-discovery probe
/cmplatform/installClusterStatusExecute     # anomalous hostname parameter

Beyond those, watch for unexpected file-creation events on the host, unfamiliar Apache Axis service or handler registrations, inbound traffic from Tor exit nodes, and any anomalous outbound connections from a server that normally just routes calls.

How to respond

There is no clever workaround here. Cisco says so plainly:

"There are no workarounds that address this vulnerability."Cisco advisory cisco-sa-cucm-ssrf-cXPnHcW

So the response is patch, contain, verify.

  • Patch now. Upgrade Unified CM and Unified CM SME to 14SU6 (14 train) or 15SU5 (15 train, due around September 2026), or apply the interim COP patch until 15SU5 is available. With active exploitation, public PoC, and a KEV deadline, treat every exposed instance as an emergency.
  • If you cannot patch immediately, disable WebDialer. Stop Cisco WebDialer Web Service in Control Center - Feature Services, or deactivate it under Service Activation. Exploitation requires it to be running. This is a stopgap, not a fix.
  • Assume persistence. Because the webshell survives patching, hunt for the marker file and for JSP files under /platform-services/axis2-web/ before you call an instance clean. Treat any exposed, unpatched host as compromised until forensics says otherwise.
  • Reduce exposure. Take Unified CM admin and web interfaces off the public internet, segment the voice network, and review the directory, HR, and credential material a compromised UCM host could reach.

About Trident

Trident maps cloud assets, traces AI agent behavior, and enforces runtime policies across your infrastructure. The same approach applies to a box like Unified CM: it inventories what is actually exposed, flags an internet-reachable service like WebDialer before an attacker finds it, and watches for the file writes and new processes that turn a single request into a persistent foothold, with full context and blast-radius analysis.

Want to find the WebDialers and forgotten admin panels on your own network before someone else does? Book a demo.

Stay ahead of agent threats

Get research and product updates on cloud and AI agent security.

Book a demo