CVE-2026-20230 — Cisco Unified Communications Manager Server-Side Request Forgery (SSRF) Vulnerability

CVE-2026-20230

Cisco Unified CM — Unauthenticated SSRF via WebDialer Enabling File Write and Root Escalation

What is Cisco Unified Communications Manager?

Cisco Unified Communications Manager (Unified CM, also known as CUCM) is the call-processing core of Cisco's enterprise telephony platform, deployed by government agencies, financial institutions, hospitals, and large enterprises to manage IP telephony, voicemail, video conferencing, and unified messaging. Unified CM Session Management Edition (SME) is a specialized variant for large hierarchical telephony deployments. These systems frequently sit at network perimeters, process sensitive communications, and run as trusted appliances — making root-level compromise particularly dangerous for both data interception and lateral network movement.

Overview

CVE-2026-20230 is a server-side request forgery (SSRF) vulnerability in the WebDialer service of Cisco Unified CM and Unified CM SME. An unauthenticated remote attacker can send a crafted HTTP request that causes the server to make internal requests, which can be chained to write arbitrary files to the operating system and escalate to root.

Cisco rated the base CVSS score at 8.6 HIGH, but internally classified its Security Impact Rating as Critical due to the root escalation path. A public proof-of-concept was released two days after the advisory. Active exploitation was confirmed less than 24 hours after the PoC became widely available. CISA added the vulnerability to the KEV catalog on June 25, 2026.

Important: The WebDialer service is disabled by default. Instances where WebDialer has not been enabled are not exploitable via this vulnerability.

Affected Versions

Product Fixed Version
Cisco Unified CM 14 14SU6
Cisco Unified CM 15 15SU5 (September 2026) or COP file (available sooner)
Cisco Unified CM SME Aligned with above

Cisco Bug ID: CSCws67331.

Technical Details

The vulnerability (CWE-918) resides in the WebDialer service, which allows users to initiate phone calls from a web browser. The full exploit chain documented by SSD Secure Disclosure proceeds in four stages:

  1. SSRF via WebDialer: A crafted HTTP request to the WebDialer endpoint causes the server to make internal requests, including to the internal Apache Axis SOAP service
  2. File write via Axis: By manipulating the SSRF to interact with Apache Axis, the attacker writes a malicious JSP file into a publicly-accessible Cisco Tomcat web directory
  3. Remote code execution: The attacker fetches the planted JSP webshell over HTTP, executing arbitrary commands in the Tomcat process context
  4. Root escalation: Additional steps escalate privileges from the Tomcat service account to full root on the appliance OS

Key attack characteristics:

  • No authentication required: Full unauthenticated exploitation from the network
  • Scope Changed: The SSRF crosses a security boundary into the internal SOAP service, reflected in the CVSS S:C component
  • Prerequisite: WebDialer must be enabled — it is off by default
  • No workaround other than disabling WebDialer: Cisco states there is no other mitigation available

Discovery

Discovered by an independent security researcher working with SSD Secure Disclosure, who is credited in Cisco's advisory. SSD published the full technical write-up and proof-of-concept demonstrating the complete SSRF-to-root chain on June 5, 2026, two days after the Cisco advisory.

Exploitation Context

Active exploitation was confirmed by Defused Cyber on June 24, 2026 — less than 24 hours after the PoC became widely circulated. Observed activity used "genuinely-formatted file:// file-write payloads," consistent with automated scanning exploiting the disclosed technique directly. Horizon3.ai released a NodeZero Rapid Response test for CVE-2026-20230 to help organizations assess their exposure.

The rapid weaponization timeline (advisory June 3 → PoC June 5 → confirmed exploitation June 24) is consistent with opportunistic automated exploitation following a public PoC release. No specific threat actor has been publicly attributed.

Remediation

  1. Disable WebDialer immediately: If WebDialer is not required for business operations, disable it — this fully eliminates the attack surface for this vulnerability. Navigate to Cisco Unified Serviceability > Tools > Service Activation to check and disable the Cisco WebDialer Web Service
  2. Apply patches: Upgrade to Unified CM 14SU6 (available now); for Unified CM 15, apply the available COP file as an interim measure, then upgrade to 15SU5 when available
  3. Audit WebDialer usage before disabling: Determine which users and departments rely on WebDialer and whether it can be permanently decommissioned
  4. Search for webshells: Inspect Cisco Tomcat web directories for unexpected JSP files placed after June 5, 2026
  5. Review access logs: Look for anomalous HTTP requests to the WebDialer endpoint, particularly crafted requests containing file:// URIs or SOAP-formatted payloads submitted prior to patching
  6. Network controls: Restrict public internet access to Unified CM management and WebDialer interfaces where possible; telephony infrastructure rarely requires direct internet exposure

Key Details

PropertyValue
CVE ID CVE-2026-20230
Vendor / Product Cisco — Unified Communications Manager
NVD Published2026-06-03
NVD Last Modified2026-07-01
CVSS 3.1 Score8.6
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
SeverityHIGH
CWE CWE-918 find similar ↗
CISA KEV Added2026-06-25
CISA KEV Deadline2026-06-28
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None

Required Action

CISA BOD 22-01 Deadline: 2026-06-28. Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA's BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA's "Forensics Triage Requirements" (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Timeline

DateEvent
2026-06-03Cisco advisory published (v1.0); CVE published
2026-06-05Public PoC released by SSD Secure Disclosure demonstrating full SSRF-to-root chain
2026-06-24Active exploitation confirmed (Defused Cyber) — sub-24-hour weaponization after PoC availability
2026-06-25Added to CISA Known Exploited Vulnerabilities catalog
2026-06-28CISA BOD 22-01 remediation deadline
2026-07-01Cisco advisory updated (v1.1)