THU 02 JUL 2026 · GMT EDITION A WHITESTONE INTELLIGENCE PUBLICATION
MARKETS · CYBER · MEMOS · MODELS
DAILY ISSUES26 MAY27 MAY28 MAY29 MAY30 MAY31 MAY01 JUN02 JUN03 JUN04 JUN05 JUN06 JUN07 JUN08 JUN09 JUN10 JUN11 JUN12 JUN13 JUN14 JUN15 JUN16 JUN17 JUN18 JUN19 JUN21 JUN22 JUN23 JUN24 JUN25 JUN26 JUN27 JUN28 JUN29 JUN30 JUN01 JUN02 JUNALL ›
FRONT PAGE / CYBER / CYB-2026-06-24-F2
CYBER · ransomware threat groups · 2026-06-24SCOOP 55

Attackers Exploit Cisco Unified CM Flaw Weeks After Patch Release

CSO Online reported on June 24 that CVE-2026-20230, a critical Cisco Unified CM vulnerability with a CVSS base score of 8.6 that can grant attackers root access, is now under active exploitation.

·FILED ISSUE 2026-06-24·1 MIN READ·RE-VERIFIED 2026-07-02 UTC·✓ RE-VERIFIED 2026-07-02

At a glance

  • CVE-2026-20230 in Cisco Unified CM (CVSS 8.6) is under active exploitation, per Defused's June 23 report.
  • Defused observed exploitation from a single source using an unvetted PoC with file:// file-write payloads against its decoys.
  • Cisco patched the flaw on June 3 with no known exploitation at disclosure time.

VERDICT — CONFIRMED

pipeline-backfill confidence · primary + corroborating sources verified · re-verified 2026-07-02 UTC
Cyber desk illustration
Generated desk illustration · The Dossier Wire · not a photograph

CSO Online reported on June 24 that CVE-2026-20230, a critical Cisco Unified CM vulnerability with a CVSS base score of 8.6 that can grant attackers root access, is now under active exploitation. Threat intelligence firm Defused reported the activity on June 23 after observing it over the weekend, describing exploitation from a single source using an unvetted PoC with genuinely-formatted file:// file-write payloads landing on its decoys. Cisco published the advisory and patches on June 3, at which point it said it was not aware of any malicious use.

Key facts on file

  • CVE-2026-20230 in Cisco Unified CM (CVSS 8.6) is under active exploitation, per Defused's June 23 report.
  • Defused observed exploitation from a single source using an unvetted PoC with file:// file-write payloads against its decoys.
  • Cisco patched the flaw on June 3 with no known exploitation at disclosure time.

PRIMARY SOURCE

CSO Online
— (2026-06-24) · fetched at filing · archived at publication
EntitiesCiscoDefused

Sources · two-source rule

PRIMARYCSO Online— (2026-06-24)
Share
Filed by the Cyber desk · verified by the verification desk · re-verified 2026-07-02 · Our standards: the two-source rule ›
CITE THIS FILE — The Dossier Wire · cyb-2026-06-24-f2 · filed 2026-06-24 · https://thedwire.com/wire/cyb-2026-06-24-f2-attackers-exploit-cisco-unified-cm-flaw-weeks-after-patch.html · Primary and corroborating sources listed above; archived at publication. Republishing & licensing: hello@thedwire.com.
More from Cyber FULL DESK ›
CISA Warns of Actively Exploited Microsoft SharePoint Vulnerability
Generated illustration · not a photograph
CYBER · SCOOP 99

CISA Warns of Actively Exploited Microsoft SharePoint Vulnerability

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Microsoft SharePoint Server flaw, tracked as CVE-2026-45659 (CVSS score v3.1 of 8.8), to its Known Exploited Vulnerabi

exclusive✓ verifiednewSOURCE ↗
READ THE FILE ›
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · SCOOP 67

Linux Kernel Vulnerabilities Expose B&R APROL Products to Local Privilege Escalation (CVSS 7.8)

Per CISA's June 23 ICS advisory, publicly reported Linux kernel vulnerabilities affect kernel versions shipped with B&R products, including Linux for B&R APROL X20EDS410, rated CVSS v3 7.8. Successful local exploitation could allow privilege escalation on affected systems, and public proof-of-concept exploits are available for the flaws.

✓ verifiednewSOURCE ↗
READ THE FILE ›
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · SCOOP 64

OpenSSL Stack Buffer Overflow (CVE-2025-15467) Affects Multiple Siemens Products

CISA's June 23 ICS advisory relays that a stack-based buffer overflow published by OpenSSL — tracked as CVE-2025-15467 for several listed products — allows a remote attacker to cause denial of service or potentially achieve remote code execution. Affected Siemens products include the AI Lightweight Inference Server, Connector for Azure, D

✓ verifiednewSOURCE ↗
READ THE FILE ›

The morning wire in your inbox — every brief, primary sources linked, no noise.

Free tier. The Wire — continuous desk briefs · Records archive · Bureau alerts.

Stored to the wire's subscriber list. No spam, unsubscribe any time.