Cisco warns of critical Unified CM flaw with PoC exploit code
Cisco patches critical Unified CM flaw enabling root privilege escalation via SSRF attacks.
Summary
Cisco released security updates for CVE-2026-20230, a critical vulnerability in Unified Communications Manager that allows unauthenticated attackers to gain root privileges through server-side request forgery (SSRF) attacks via crafted HTTP requests. Publicly available proof-of-concept exploit code exists, though no active exploitation has been detected yet. The flaw only affects systems with the WebDialer service enabled (disabled by default), and patches are available in versions 14SU6 or 15SU5.
Full text
Cisco warns of critical Unified CM flaw with PoC exploit code By Sergiu Gatlan June 4, 2026 07:09 AM 0 Cisco has released security updates to patch a critical-severity Unified Communications Manager (Unified CM) flaw that allows attackers to gain root privileges. Cisco Unified CM (formerly known as Cisco CallManager) serves as the central control system for Cisco IP telephony systems, handling device management, call routing, and telephony features. The vulnerability (tracked as CVE-2026-20230) can be exploited remotely by threat actors without privileges in low-complexity server-side request forgery (SSRF) attacks. "An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root," Cisco said. "Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root." Cisco's Product Security Incident Response Team (PSIRT) is aware of publicly available proof-of-concept exploit code for CVE-2026-20230, but has yet to find evidence of active exploitation or targeting. Luckily, the vulnerability only impacts systems where the WebDialer service is enabled, and WebDialer is disabled by default. To check whether WebDialer is enabled, log in to Cisco Unified CM Administration, go to "Cisco Unified Serviceability," click "Go," and check the service status in the Tools > CTI Services menu under "Control Center - Feature Services." While there are no workarounds to mitigate this vulnerability, and it's highly recommended to install Cisco Unified CM versions 14SU6 or 15SU5 (Sep 2026 or COP), administrators can also disable the WebDialer service until a patch is applied to block any incoming CVE-2026-20230 attacks. To disable WebDialer, go through the following steps: Log in to the Cisco Unified CM Administration interface. From the 'Navigation' menu, choose 'Cisco Unified Serviceability and click Go. From the 'Tools' menu, choose 'Service Activation.' In the 'CTI Services' section of the page, uncheck the 'Cisco WebDialer Web Service' checkbox, then click Save. In January, Cisco fixed another critical Unified CM vulnerability (CVE-2026-20045) that has been actively exploited as a zero-day in remote code execution attacks. Over the past several years, the company also removed a Unified CM backdoor account that allowed remote attackers to log in to unpatched devices with root privileges, and patched another flaw (CVE-2024-20253) that enabled threat actors to gain root access to vulnerable systems. Over the past five years, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) tagged 91 Cisco vulnerabilities as actively exploited in the wild, six of which have been used by various ransomware operations. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Cisco warns that Unified CM has hardcoded root SSH credentialsDisgruntled researcher leaks “BlueHammer” Windows zero-day exploitWindows BitLocker zero-day gives access to protected drives, PoC releasedExploit available for new DirtyDecrypt Linux root escalation flawCritical cPanel and WHM bug exploited as a zero-day, PoC now available
Indicators of Compromise
- cve — CVE-2026-20230
- cve — CVE-2026-20045
- cve — CVE-2024-20253