Active Exploitation of Cisco Unified CM SSRF Vulnerability (CVE-2026-20230) to Deploy Webshells

A server-side request forgery (SSRF) vulnerability, CVE-2026-20230, in Cisco Unified Communications Manager (Unified CM) is being actively exploited to deploy webshells and achieve remote code execution on affected servers. Threat intelligence firm Defused reported observing automated attacks over the weekend, with malicious activity originating via Tor. The exploitation chain abuses the WebDialer SSRF to install a rogue Apache Axis service, which is then used to write a first-stage payload. Cisco Unified CM, an enterprise communication platform, is the targeted product. The attacks were first detected in honeypots by Defused.