Full Report
CVE-2026-20230 under exploitation, while an earlier SD-WAN 0-day looks even worse than we thought
Analysis Summary
# Vulnerability: Cisco Unified Communications Manager SSRF and SD-WAN Privilege Escalation
## CVE Details
- **CVE ID:** CVE-2026-20230 / CVE-2026-20245
- **CVSS Score:** Not explicitly listed in text (Severity: High/Critical)
- **CWE:** SSRF (Server-Side Request Forgery) / Improper Input Validation
## Affected Systems
- **Products:**
- Cisco Unified Communications Manager (CUCM)
- Cisco Catalyst SD-WAN Manager
- **Versions:** Specific versions not detailed in the article; refer to Cisco advisories.
- **Configurations:**
- **CUCM:** Vulnerable via the WebDialer component.
- **SD-WAN:** Vulnerable via the web application interface and CLI.
## Vulnerability Description
- **CVE-2026-20230 (CUCM):** A flaw in HTTP request validation within the WebDialer service allows an attacker to perform a Server-Side Request Forgery (SSRF). This can be chained to deploy rogue services (Apache Axis) and write JSP files to the system, eventually leading to root-level command execution.
- **CVE-2026-20245 (SD-WAN):** An authenticated, local attacker can execute arbitrary commands as root by supplying a crafted file (e.g., a `.csv` file) to the system. The system fails to properly sanitize the input file, allowing for privilege escalation from administrative accounts to a full root shell.
## Exploitation
- **Status:** Exploited in the wild (Both); PoC available (CVE-2026-20230).
- **Complexity:** Medium (Requires specific chaining or initial admin access).
- **Attack Vector:**
- **CVE-2026-20230:** Network (via HTTP).
- **CVE-2026-20245:** Local/Adjacent (Requires authenticated access or unauthorized peering).
## Impact
- **Confidentiality:** Total (Full visibility of internet traffic and fabric configurations).
- **Integrity:** Total (Ability to create root users like `troot` and modify system files).
- **Availability:** Total (Full root access allows for complete system takeover or disruption).
## Remediation
### Patches
- Cisco released patches for both vulnerabilities in early June 2026. Users should update to the latest recommended software releases for Unified Communications Manager and Catalyst SD-WAN Manager.
### Workarounds
- No specific workarounds were provided in the text; patching remains the primary remediation.
- Restrict SSH access and monitor for unauthorized peering connections in SD-WAN environments.
## Detection
### Indicators of Compromise (IoCs)
- **CUCM:**
- Deployment of an unauthorized Apache Axis service.
- First-stage JSP file-writers.
- Shells located at `[internal-path]/platform-services/axis2-web/`.
- **SD-WAN:**
- Presence of suspicious files such as `evil_tenant.csv`.
- Creation of unauthorized accounts with root privileges (e.g., account name `troot`).
- Unexpected password changes on the `admin` account (even if reverted).
- Use of the `su` (substitute user) command from the `admin` account to access root.
## References
- Cisco CUCM Advisory: hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssrf-cXPnHcW
- Cisco SD-WAN Advisory: hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx
- Mandiant Research: hxxps[://]cloud[.]google[.]com/blog/topics/threat-intelligence/zero-day-exploitation-cisco-catalyst-sd-wan-manager
- Defused Threat Intel: hxxps[://]x[.]com/DefusedCyber/status/2069074520057557244