Skip to content
hacker_posts

Cisco Unified CM CVE-2026-20230 now drops webshells via Tor

Three weeks after the June 3 patch, Defused honeypots see automated Tor-routed sweeps deploying multi-stage JSP shells via the WebDialer SSRF. Patch alone won't evict them.

Published 4 min read
cveciscoexploitation

CVE-2026-20230, the unauthenticated server-side request forgery in Cisco Unified Communications Manager and Unified CM Session Management Edition, has crossed from reconnaissance to automated webshell deployment. Cisco shipped the fix on June 3 in advisory cisco-sa-cucm-ssrf-cXPnHcW. Three weeks later, on June 24, exploit-tracking outfit Defused reported its honeypots receiving Tor-routed sweeps that drop a multi-stage JSP shell using the same WebDialer chain a public PoC demonstrated in early June.

What's affected

Per the Cisco advisory, the SSRF lives in the WebDialer HTTP request handler. CVSS v3.1 is 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N) — but Cisco PSIRT classifies the SIR as Critical because the SSRF allows arbitrary file writes that pivot to code execution as root. The CVE record in the CVE Project repository confirms the same scoring and CWE-918 classification.

Fixed releases:

  • Unified CM 14: 14SU6 (released June 3).
  • Unified CM 15: full Service Update 15SU5 is not due until September 2026. Cisco shipped an interim COP patch for 15.x at disclosure.
  • Unified CM SME: same matrix as the base product.

WebDialer is off by default but routinely enabled in production because it backs the click-to-call feature used by every CTI integration and most softphone deployments.

Exploitation status

Defused first flagged the activity over the weekend of June 21–22, when its honeypots logged file:// payload tests against /tmp/cve-2026-20230-test.txt — fingerprinting only. By June 24 the same operator switched to a three-stage payload chain, all traffic routed through Tor. The chain, as Defused described it across the outlets reporting the activity (BleepingComputer, SecurityWeek, Help Net Security, The Register, CSO Online, SecurityAffairs, The Hacker News):

  1. Abuse the WebDialer SSRF to deploy a rogue Apache Axis service under the application server.
  2. Use that service to write a first-stage JSP file-writer.
  3. Drop a second-stage command-execution JSP shell under /platform-services/axis2-web/.

Once stage three lands, the attacker no longer needs the original SSRF — the webshell is a persistent foothold that the June 3 patch does not remove. Any CUCM that was internet-reachable on WebDialer before the patch was applied should be treated as potentially backdoored.

Action checklist

  1. Patch immediately. Branch 14 → 14SU6. Branch 15 → install the interim COP patch from the Cisco advisory; do not wait for 15SU5 in September.
  2. Disable WebDialer on CUCM nodes that don't need it operationally. If you don't ship click-to-call from a CTI integration, the service has no business being reachable.
  3. Hunt for the webshell. Inspect /platform-services/axis2-web/ on every CUCM and CUCM-SME node. The Defused chain leaves a JSP file-writer plus a command shell at that path. Any unexpected .jsp under axis2-web/ predating today is presumed compromise.
  4. Look for an installed Apache Axis service that you did not deploy. A rogue Axis instance configured at runtime is part of stage one — its presence is itself an IOC.
  5. Audit outbound Tor traffic from CUCM nodes for the past 30 days. Defused observed all exploitation routing through Tor exit nodes; CUCM has no business talking to Tor.
  6. Rotate every CUCM admin credential and any service account reachable from a compromised node, and review SBC / SIP-trunk telemetry for anomalous calls during the same window.

Context

The June 3 → June 24 gap matches the pattern of the spring's Citrix and Ivanti zero-days: vendor ships the fix without observed exploitation, public PoC drops within hours, mass scanning starts on a 2–3 week lag, and by week three a small operator is automating webshell drops. The first EN brief on this CVE went out alongside the June 8 Cisco SD-WAN Manager double zero-day, and our French desk filed on CVE-2026-20230 itself on June 8 when only the PoC was public. Today's escalation is the predictable next beat.

The operational lesson — restated because every Cisco appliance-class CVE rehearses it — is that patching after the post-exploitation phase has started is half the job. The other half is presuming the compromise and hunting for what the patch can't undo.

Related stories