Same-Day Shells: A Full-Chain RCE Sweep Against Cisco CUCM (CVE-2026-20230)

Same-Day Shells: A Full-Chain RCE Sweep Against Cisco CUCM (CVE-2026-20230)<br>Published on 24 June 2026<br>10 min read<br>Threat Intelligence<br>Vulnerability Advisory<br>Cisco

In February we wrote about the quiet ones - an operator planting dormant Ivanti EPMM implants and walking away, building inventory for a later handoff. This is the opposite story. This one is loud, fast, and fully automated, and it went from public proof-of-concept to fleet-wide remote code execution in roughly a day.<br>We first flagged exploitation of CVE-2026-20230 - the Cisco Unified Communications Manager (CUCM) WebDialer SSRF - over the preceding weekend. That early activity was a single source quietly tagging vulnerable hosts: a benign marker file written to confirm the SSRF primitive worked, nothing more. A vuln-check, not a weapon.<br>On 23 June 2026 , SSD Secure Disclosure published a full technical write-up and a working exploit chain. On 24 June 2026, between 04:06 and 04:08 UTC , that chain arrived on our CUCM decoys at speed - a complete SSRF → arbitrary file-write → root-capable webshell sequence, replayed near-verbatim from the public proof-of-concept, with every request fronted by Tor.<br>Key Takeaway: A public PoC for CVE-2026-20230 was weaponised inside 24 hours. The observed chain abuses the WebDialer SSRF to deploy a rogue Apache Axis service, uses that service to write a first-stage JSP file-writer, then drops a second-stage command-execution shell under /platform-services/axis2-web/. The exec shell is gated by the literal password 123 - lifted straight from the PoC. Service names and shell filenames are randomised per run, but the structure, traversal depth, and payloads are identical. If you run CUCM with WebDialer enabled and haven’t patched, assume scanning has already reached you.

#The Vulnerability<br>CVE-2026-20230 is a server-side request forgery flaw (CWE-918) in Cisco Unified Communications Manager and Unified CM Session Management Edition, disclosed by Cisco on 3 June 2026. The root cause is improper validation of specific HTTP requests handled by the WebDialer component, which lets an unauthenticated attacker coerce the server into making attacker-controlled outbound requests - and, more usefully, into writing arbitrary files to the underlying OS.<br>The CVSS base score is 8.6, but Cisco overrode it with a Critical Security Impact Rating, because the file-write is a foothold rather than the endpoint: the written file can be turned into a path to root. WebDialer is disabled by default, and exploitation requires it to be enabled - which is the single most important fact for triage. The fix landed as 14SU6 for the 14 train; release 15 needs 15SU5 or the interim COP patch.<br>There’s recent precedent here that’s worth keeping in mind. In January, Cisco patched CVE-2026-20045 , a separate unauthenticated RCE across its voice products that was already being exploited as a zero-day; CISA added it to the Known Exploited Vulnerabilities catalogue on 21 January. As of writing, CVE-2026-20230 is not yet in KEV - but the in-the-wild activity documented below is precisely the evidence that drives a listing.<br>#From Vuln-Check to Weaponised Chain<br>The weekend activity and the 24 June sweep are the same vulnerability and two completely different operations.<br>The weekend tagging used a simple SSRF primitive to write a harmless marker and move on - the behaviour of someone enumerating exposed, vulnerable CUCM instances to build a target list. The 24 June activity uses the full SSD chain, and it isn’t checking whether the box is vulnerable. It’s taking it.<br>The technique at the centre of the chain is an old friend wearing a new badge. The SSRF is used to reach an internal Apache Axis endpoint and write an Axis service deployment descriptor - the same class of flaw as the historical Axis 1.4 administration bug, CVE-2019-0227. Once that descriptor lands, the attacker has registered a brand-new SOAP service on the target that they fully control, and that service can write files anywhere the Tomcat process can reach.<br>#Anatomy of the Sweep<br>Across our sensors the operation ran as a clean, staged pipeline. Different Tor exit nodes handled different stages of the same chain within seconds of each other, which is consistent with a single automated tool rotating through an exit pool rather than independent actors converging on the same target.<br>#Stage 1 — Recon<br>GET /webdialer/Version.jws?wsdl The chain opens by pulling the WebDialer WSDL. This is the PoC’s hostname-disclosure step: the SSRF has host-header validation that blocks the obvious localhost/127.0.0.1 targets, so the attacker first needs the box’s true short hostname, which this unauthenticated endpoint leaks. On its own this request looks like benign service discovery - which is exactly why it’s worth alerting on in context.<br>#Stage 2 — SSRF to a Rogue Axis Service<br>GET...