Cisco Unified CM SSRF Flaw Now Dropping Webshells in the Wild

A critical server-side request forgery vulnerability in Cisco's Unified Communications Manager has escalated from proof-of-concept to active exploitation in under three weeks.

TL;DR

• What happened: CVE-2026-20230, a CVSS 8.6 SSRF flaw, is now being exploited to deploy JSP webshells on Cisco Unified CM servers
• Who's affected: Organizations running Unified CM or Unified CM SME with WebDialer enabled
• Action required: Patch immediately and audit for existing webshells—patching alone does not remove backdoors

The Vulnerability

CVE-2026-20230 stems from improper input validation in HTTP request handling within Cisco Unified Communications Manager and Unified CM Session Management Edition. An unauthenticated remote attacker can craft HTTP requests that trigger server-side request forgery, ultimately enabling file writes to the underlying operating system with root privileges.

Cisco released patches on June 3 and noted that exploitation requires the WebDialer service to be enabled—WebDialer is disabled by default, which limits exposure for organizations that don't use the feature. But for those who do, the attack surface is fully unauthenticated and remotely accessible.

Exploitation in the Wild

According to threat intelligence firm Defused, attackers began automated scanning and exploitation over the weekend of June 21-22, with activity accelerating through June 24. The observed attack chain involves:

1. SSRF abuse to deploy a rogue Apache Axis service
2. First-stage JSP file-writer placed via the malicious service
3. Second-stage command execution shell deployed to /platform-services/axis2-web/

All observed exploitation traffic routes through Tor exit nodes, complicating attribution. The attacks appear automated rather than targeted—threat actors are sweeping for any exposed WebDialer service and deploying generic webshells for later access.

This continues a pattern of Cisco vulnerabilities being rapidly weaponized. The CISA KEV additions from June 23 included the related Cisco SD-WAN flaw CVE-2026-20245, which Mandiant confirmed was exploited as a zero-day for two months before public disclosure.

The Patching Problem

Here's what security teams need to understand: patching closes the door, but it doesn't evict anyone already inside. Organizations that ran vulnerable WebDialer configurations between June 3 and whenever they applied updates may already have webshells present.

The webshells persist in /platform-services/axis2-web/ even after the underlying SSRF vulnerability is patched. Security teams must audit this directory for unexpected JSP files and examine web server logs for anomalous POST requests to those paths.

Recommended Mitigations

1. Apply Cisco patches immediately for Unified CM and Unified CM SME
2. Disable WebDialer if the service isn't required for business operations
3. Audit for webshells in /platform-services/axis2-web/ and related directories
4. Review web server logs for unusual POST requests targeting JSP files
5. Block Tor exit nodes at the perimeter if not required for business use
6. Assume compromise for systems that were exposed before patching and conduct forensic analysis

Why This Matters

Unified Communications Manager sits at the heart of enterprise voice infrastructure. A webshell on these systems provides attackers persistent access to a network segment that organizations often treat as trusted infrastructure.

The speed of exploitation—from public PoC to automated attacks in under three weeks—reflects the compressed timelines security teams now face. The June 2026 Patch Tuesday set records with 200 vulnerabilities, and defenders simply can't patch everything instantly.

Organizations should review their vulnerability management processes to ensure critical network infrastructure receives priority attention.

Frequently Asked Questions

Is WebDialer enabled by default? No, WebDialer is disabled by default on Cisco Unified CM. Organizations that haven't explicitly enabled it are not vulnerable to this attack chain.

How do I check if I've been compromised? Search /platform-services/axis2-web/ for any JSP files that weren't part of the original installation. Review web server access logs for POST requests to unknown JSP endpoints, particularly those originating from Tor exit nodes.