Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: ssrf (3 articles)Clear

Cisco Unified CM flaw now exploited to gain root on phone systems

A flaw in Cisco Unified Communications Manager, the system that runs enterprise phone and call infrastructure, is now being exploited in attacks. The bug (CVE-2026-20230) is a server-side request forgery that lets an unauthenticated attacker send a crafted HTTP request to write files onto the underlying system, which can then be used to escalate to root and fully take over the server. Cisco patched it on June 3 and rates it critical; public exploit code has been available since, and security firms now see active exploitation attempts. The flaw is only exploitable when the WebDialer service is enabled, which is not the default.

Check
Check whether your Cisco Unified CM or Session Management Edition deployments have the WebDialer service enabled and confirm the software version, then review system logs for unexpected file writes or webshells.
Affected
Cisco Unified CM and Unified CM SME with the WebDialer service enabled (CVE-2026-20230); version 14 before 14SU6 and version 15 before 15SU5, especially with management interfaces reachable by attackers.
Fix
Patch to Cisco Unified CM 14SU6 or apply the version 15 interim fix, or disable the WebDialer service if it is not needed, and restrict management interfaces to trusted networks.

Cisco Unified CM critical SSRF CVE-2026-20230 lets unauthenticated attackers write files and escalate to root - public PoC, WebDialer required

Cisco has patched CVE-2026-20230, a critical server-side request forgery flaw in Unified Communications Manager (formerly CallManager), the central control system for Cisco IP telephony. An unauthenticated remote attacker can send a crafted HTTP request to write files to the underlying OS and later elevate to root - Cisco rated it Critical despite the CVSS score because of that root-escalation potential. Cisco's PSIRT is aware of public proof-of-concept exploit code but has not seen active exploitation yet. The flaw only affects systems with the WebDialer service enabled, which is off by default. There are no workarounds; admins should upgrade to 14SU6 or 15SU5, or disable WebDialer until patched.

Check
Inventory Cisco Unified CM deployments and check whether WebDialer is enabled (Tools > Service Activation > CTI Services). Confirm version against fixed 14SU6 or 15SU5. Monitor for crafted HTTP requests.
Affected
Cisco Unified CM systems with the WebDialer service enabled (off by default). CVE-2026-20230 allows unauthenticated SSRF to write files and escalate to root. Public PoC exists; no active exploitation yet.
Fix
Upgrade to Unified CM 14SU6 or 15SU5. If patching must wait, disable the Cisco WebDialer Web Service via Service Activation to block exploitation. No other workaround exists.

LMDeploy LLM-serving SSRF (CVE-2026-33626) exploited within 13 hours of disclosure - attackers used the vision-language image loader as a generic port-scanner against AWS metadata, Redis, and MySQL

Sysdig observed the first in-the-wild exploitation of CVE-2026-33626 against its honeypot fleet 12 hours and 31 minutes after the GitHub advisory went live on April 21. LMDeploy is Shanghai AI Laboratory's open source toolkit for serving vision-language and text LLMs. The flaw is in load_image() in lmdeploy/vl/utils.py: it fetches arbitrary URLs from the image_url field without validating link-local, loopback, or RFC1918 ranges. CVSS 7.5. The attacker used LMDeploy as a generic SSRF primitive over an eight-minute session - port-scanning AWS IMDS, localhost Redis, MySQL, and an admin interface. v0.12.3 fixes it.

Check
If your team runs LLM-serving infrastructure (LMDeploy, vLLM, TGI, Ollama, Ray Serve), audit it this week for unvalidated URL fetching and put proper egress filtering in place.
Affected
LMDeploy versions before 0.12.3 with vision-language support enabled. Cloud GPU inference deployments are at acute risk because the SSRF directly targets the metadata service - on a misconfigured node this yields IAM credentials with broad access to S3 model artifacts, training data, and cross-account roles.
Fix
Upgrade LMDeploy to 0.12.3+. On every cloud-hosted inference node, enforce IMDSv2 with token requirement (this alone defeats IAM exfil). Restrict outbound egress from GPU nodes to required destinations only. Block 169.254.169.254 from inference containers without a use case. Apply the same logic to vision-LLM image loaders, agent tool-use endpoints, and RAG fetchers. Block 103.116.72[.]119 at the edge.