Summary

On June 3, Cisco disclosed CVE-2026-20230, a Server-Side Request Forgery (SSRF) vulnerability in the WebDialer service of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME). An unauthenticated remote attacker can exploit the flaw by sending a crafted HTTP request to an affected device, allowing them to write files to the underlying operating system that can subsequently be leveraged to escalate privileges to root. Cisco has assigned this advisory a Security Impact Rating (SIR) of Critical because successful exploitation results in root-level privilege escalation, even though the base CVSS 3.1 score is 8.6 (High).

The vulnerability is now being actively exploited in the wild. Threat intelligence firm Defused Cyber reported observing exploitation from a single source using an unvetted proof-of-concept (PoC), with file-write payloads formatted as file:// URIs landing on its decoy systems. SSD Secure Disclosure has since published additional technical details describing the flaw as enabling arbitrary file writes that can be chained to achieve remote code execution (RCE) on the server.

Affected Systems and/or Applications

• Cisco Unified Communications Manager (Unified CM) - Release 14 and Release 15 branches
• Cisco Unified Communications Manager Session Management Edition (Unified CM SME) - Release 14 and Release 15 branches

The vulnerability only affects systems on which the WebDialer service is enabled. WebDialer is disabled by default.

Fixed Releases:

Patches are version-specific; consult the README attached to the patch file before installation.

Technical Details

• CWE: CWE-918 - Server-Side Request Forgery (SSRF)
• CVSS: 8.6 (High) - Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
• Root Cause: Improper input validation for specific HTTP requests handled by the WebDialer service
• Attack Vector: Unauthenticated, remote attacker sends a crafted HTTP request to an affected device
• Exploitation Chain: The WebDialer component is abused to obtain the true hostname of the target, which is then leveraged to perform arbitrary file writes on the server, ultimately enabling code execution
• Observed in the Wild: Exploitation observed from a single source using an unvetted PoC with file:// file-write payloads targeting decoy systems
• Prerequisite: WebDialer service must be enabled on the target

Mitigation

Cisco states that there are no complete workarounds for this vulnerability; software updates are the only comprehensive remediation.

Temporary Mitigation (until patching is possible): Disable the WebDialer service:

1. Log in to the Cisco Unified CM Administration interface.
2. From the Navigation menu, choose Cisco Unified Serviceability and click Go.
3. From the Tools menu, choose Control Center - Feature Services.
4. In the CTI Services section, check whether the current status of the Cisco WebDialer Web Service is Started or Not Running.
5. If the status is Started, WebDialer is enabled and should be disabled (uncheck the service and save).

Recommended Actions:

• Identify all Unified CM and Unified CM SME deployments and determine whether WebDialer is enabled.
• Apply the appropriate fixed release (14SU6 or 15SU5/COP) as soon as operationally feasible, prioritizing internet-exposed or untrusted-network-adjacent systems given the availability of public exploit code and confirmed in-the-wild exploitation.
• If patching cannot be performed immediately, disable WebDialer as a temporary mitigation.
• Monitor Unified CM hosts for suspicious file writes (especially those originating from file:// URI payloads) and unexpected privilege escalation activity.
• Restrict network access to Unified CM management and WebDialer interfaces to trusted administrative networks.
• Review logs and forensic artifacts for indicators of compromise consistent with the SSD Secure Disclosure exploitation chain (WebDialer-based hostname disclosure followed by arbitrary file writes).

References

• Cisco Security Advisory: cisco-sa-cucm-ssrf-cXPnHcW
• The Hacker News: Cisco Unified CM Flaw Exploited After Disclosure
• SSD Secure Disclosure: Cisco Unified Communications Manager Arbitrary File Write to RCE
• Defused Cyber on X (Twitter)
• NVD: CVE-2026-20230
• GitHub Security Advisory: GHSA-fcv7-pchj-75c2

‍