CVE-2026-20230 Active Exploitation Hits Cisco Unified CM WebDialer Days After Public PoC

Defused Cyber detected the first in-the-wild attempts using unvetted PoC code that issues crafted HTTP requests to write files via the WebDialer component. SSD Secure Disclosure later published the hostname-leakage chain that turns the SSRF primitive into arbitrary file placement on the underlying OS. Cisco’s advisory still omits exploitation status even after the second confirmed active campaign against the same product line in two weeks. Enterprise voice systems remain attractive targets because WebDialer is frequently enabled for CTI integrations yet rarely appears in standard vulnerability scans. The pattern mirrors the rapid weaponization of CVE-2026-20262 in Catalyst SD-WAN Manager, where public PoCs preceded observed exploitation by less than 72 hours. Procurement records show Unified CM clusters often run years behind on feature-service patches, extending the window for root-level persistence. Patching to 14SU6 or 15SU5 is required; otherwise the service must be disabled through the Feature Services control center. Continued monitoring of the single observed source IP range will indicate whether additional actors adopt the same file:// payload technique before broader PoC distribution occurs.