Attackers Exploit Cisco Unified CM Flaw Weeks After Patch Release
CSO Online reported on June 24 that CVE-2026-20230, a critical Cisco Unified CM vulnerability with a CVSS base score of 8.6 that can grant attackers root access, is now under active exploitation.
At a glance
- CVE-2026-20230 in Cisco Unified CM (CVSS 8.6) is under active exploitation, per Defused's June 23 report.
- Defused observed exploitation from a single source using an unvetted PoC with file:// file-write payloads against its decoys.
- Cisco patched the flaw on June 3 with no known exploitation at disclosure time.
VERDICT — CONFIRMED
CSO Online reported on June 24 that CVE-2026-20230, a critical Cisco Unified CM vulnerability with a CVSS base score of 8.6 that can grant attackers root access, is now under active exploitation. Threat intelligence firm Defused reported the activity on June 23 after observing it over the weekend, describing exploitation from a single source using an unvetted PoC with genuinely-formatted file:// file-write payloads landing on its decoys. Cisco published the advisory and patches on June 3, at which point it said it was not aware of any malicious use.
Key facts on file
- CVE-2026-20230 in Cisco Unified CM (CVSS 8.6) is under active exploitation, per Defused's June 23 report.
- Defused observed exploitation from a single source using an unvetted PoC with file:// file-write payloads against its decoys.
- Cisco patched the flaw on June 3 with no known exploitation at disclosure time.
