A critical vulnerability CVE-2026-20230 (CVSS 8.6) has been discovered in Cisco Unified Communications Manager and Unified CM Session Management Edition. It allows an unauthenticated remote attacker to perform an SSRF attack and write arbitrary files to the server’s operating system, with the subsequent possibility of escalating privileges to root. Exploitation requires the WebDialer service to be enabled, which is disabled by default. Cisco has released fixes in versions 14SU6 and 15SU5; organizations running vulnerable versions with active WebDialer should immediately apply the updates or disable the service.
Technical essence of the vulnerability
According to the official Cisco advisory, the root cause is improper input validation when processing certain HTTP requests. An attacker sends a specially crafted HTTP request to a vulnerable device, which results in server-side request forgery (SSRF). Successful exploitation allows files to be written to the operating system’s file system, which can later be used to escalate privileges to root.
The key prerequisite for exploitation is that the Cisco WebDialer Web Service must be running on the target system. According to Cisco, this service is disabled by default, which significantly reduces the attack surface. However, in corporate environments where WebDialer is actively used to integrate telephony with web interfaces, the risk remains substantial.
According to researchers from SSD Secure Disclosure, the exploitation chain involves using the WebDialer component to obtain the real hostname of the target server, which ultimately makes it possible to achieve arbitrary code execution. These technical details were published by third-party researchers and have not yet been confirmed by Cisco in the official advisory.
Exploitation status and public PoC
A publicly available proof-of-concept exists for this vulnerability. The researcher Defused Cyber reported observing exploitation attempts originating from a single source using an unverified PoC — honeypots recorded payloads using the file:// scheme for file writes. However, it should be emphasized that as of publication time Cisco has not updated its advisory to reflect active exploitation status, and the attack data comes from a single source that has not been validated by the vendor. The vulnerability has also not been added to the CISA KEV catalog.
Thus, the exploitation status is best classified as “public PoC available” with unconfirmed signals of use in real-world attacks, rather than as confirmed exploitation in the wild.
Impact assessment
Cisco Unified Communications Manager is one of the most widely used enterprise IP telephony platforms. Its compromise may lead to:
- Full control over the telephony server (file write + escalation to root)
- Interception and manipulation of voice communications
- Use of the compromised server as a foothold for lateral movement within the corporate network
- Disruption of the organization’s telephony infrastructure
The highest risk is to organizations where WebDialer is enabled to provide click-to-dial or web-based dialing — a typical scenario for large contact centers and companies integrating telephony into corporate portals.
Response recommendations
Immediate actions
- Check WebDialer status: log in to the Cisco Unified CM Administration interface → Navigation → Cisco Unified Serviceability → Tools → Control Center – Feature Services → CTI Services section. If the Cisco WebDialer Web Service status is “Started,” the service is active and the system is potentially vulnerable.
- Apply updates: update Unified CM and Unified CM SME to versions 14SU6 or 15SU5, in which the vulnerability is fixed.
- Temporary mitigation: if immediate updating is not possible, disable the WebDialer service until the patch is applied.
Additional measures
- Audit HTTP request logs on Unified CM servers for anomalous access to the WebDialer component
- Check the servers’ file systems for atypical files that could have been written through exploitation of the vulnerability
- Restrict network access to the Unified CM management interface if it is reachable from untrusted segments
Given the availability of a public PoC and reports of exploitation attempts, the response priority is high. Organizations with WebDialer enabled are advised to apply the patch or disable the service within the next 24–48 hours, without waiting for Cisco to confirm widespread exploitation or for inclusion in the CISA KEV catalog.
