CVE-2026-20230 · Critical · CISA KEV

Cisco Unified CM SSRF: Critical RCE Risk, Actively Exploited in the Wild

Threat Engine Auto-Feed · data current as of 2026-06-29

A critical Server-Side Request Forgery (SSRF) vulnerability in Cisco Unified Communications Manager (Unified CM) allows unauthenticated, remote attackers to write arbitrary files. This can lead to privilege escalation to root, posing a significant risk to affected systems. This vulnerability is actively exploited in the wild, as confirmed by its inclusion in the CISA KEV catalog.

  • CVSS:
  • EPSS percentile: 0.98507
  • Exploitation pressure: 84/100 (Critical)

Exploitation reality: listed in CISA KEV (exploited in the wild) · EPSS 99th percentile. Threat × Vulnerability from public signals — impact depends on your environment.

Weakness —

Server-Side Request Forgery (SSRF) occurs when a web application fetches a remote resource without properly validating the user-supplied URL. An attacker can manipulate the application to make requests to arbitrary internal or external systems, potentially accessing sensitive data, interacting with internal services, or, in this case, writing files to the underlying operating system.

Who's at risk

Exposure: unknown · Auth: unknown · unknown

Enterprise profiles most at risk

  • Organizations utilizing Cisco Unified Communications Manager (Unified CM) for their communication infrastructure, particularly those with internet-facing instances.
  • Financial services, due to documented targeting by financially motivated groups like FIN7, LockBit affiliates, and APT38 (Lazarus).
  • Technology sector, given assessed targeting by state-sponsored groups like APT29 (Cozy Bear) and financially motivated groups like Scattered Spider.

Misconfigurations that escalate it

  • Lack of network segmentation between Unified CM instances and other critical internal systems.
  • Insufficient monitoring of Unified CM for unusual outbound connections or file write activities.
  • Failure to apply security updates and patches promptly to communication infrastructure.

High-impact scenarios

  • An unauthenticated, remote attacker gaining root privileges on the Unified CM server, leading to full system compromise.
  • Attackers using the compromised Unified CM as a pivot point to access other internal network resources.
  • Disruption of critical communication services and potential data exfiltration from the compromised system.

Likely adversaries

  • FIN7 — Financial services (Assessed)
  • LockBit affiliates — Financial services (Assessed)
  • APT38 (Lazarus) — Financial services (Assessed)
  • APT29 (Cozy Bear) — Technology (Assessed)
  • Scattered Spider — Technology (Assessed)

What to do (defensive)

Detect

  • Monitor Cisco Unified CM logs for unusual file write operations or unexpected system modifications.
  • Implement network intrusion detection systems (NIDS) to flag suspicious outbound connections originating from Unified CM instances.
  • Regularly audit system configurations and file integrity on Unified CM servers for unauthorized changes.

Contain

  • Isolate affected Cisco Unified CM instances from the broader network if compromise is suspected.
  • Block all non-essential inbound and outbound network traffic to and from Unified CM servers.
  • Review and revoke any potentially compromised credentials associated with the Unified CM system.

Patch

  • Apply the latest security patches and updates from Cisco for Unified Communications Manager (Unified CM) as soon as they become available.
  • Follow Cisco's official advisories and mitigation guidance for CVE-2026-20230.

Frontier verdict — Critical

This is a Critical priority due to active exploitation in the wild (CISA KEV) and the potential for unauthenticated remote root compromise of Cisco Unified CM, impacting critical communication infrastructure.

For detection-engineering and awareness only · point-in-time · not security advice · sourced from NVD, FIRST EPSS, CISA KEV. Adversary mappings are assessments unless cited.