SSRF to Root: Unauthenticated File-Write Flaw in Cisco Unified CM (CVE-2026-20230)

Summary

CVE-2026-20230 is a critical unauthenticated SSRF vulnerability in Cisco Unified Communications Manager and Unified CM SME that allows remote attackers to write files and escalate to root privilege. The flaw affects systems with WebDialer service enabled and carries a CVSS 8.6 score, though Cisco assigned it Critical severity due to the privilege escalation path. Public proof-of-concept code is already circulating, significantly lowering the barrier to exploitation.

Full text

Critical CVSS 3.1 8.6 Cisco SIR Critical Exploit Public PoC SSRF to Root: Unauthenticated File-Write Flaw in Cisco Unified CM (CVE-2026-20230) Cisco Unified Communications Manager • CWE-918 SSRF • Published 2026-06-03 Vulnerability Overview CVE-2026-20230 is an unauthenticated, remote server-side request forgery (SSRF) vulnerability in Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (Unified CM SME). It carries a CVSS v3.1 base score of 8.6 (High), but Cisco assigned it a Critical Security Impact Rating rather than High, because successful exploitation can let an attacker write files to the underlying operating system and ultimately elevate to root. Public proof-of-concept exploit code is already circulating, which meaningfully lowers the barrier to attack. CVE ID CVE-2026-20230 CVSS Score 8.6 - High Cisco SIR Critical Weakness CWE-918 Affected Product Unified CM / SME Prerequisite WebDialer Enabled Attack Vector Network / Unauthenticated Exploit Status Public PoC Bottom Line If your Unified CM or Unified CM SME deployment has the WebDialer service enabled, you are exposed. Patch to a fixed release now, and disable WebDialer as an immediate stopgap if you cannot patch right away. Why Unified CM Is a High-Value Target Unified CM is the call-control core of Cisco's enterprise voice and collaboration stack, handling call routing, device registration, and telephony services for entire organizations. These systems frequently sit on internal networks with broad reachability, and many are exposed to wider access than their owners assume. A flaw that grants an unauthenticated attacker file-write access on the underlying OS, with a credible path to root, turns the communications backbone into a foothold for deeper compromise. SSRF on this kind of appliance is also valuable on its own, since it lets an attacker pivot to internal services and endpoints that would otherwise be unreachable. Technical Analysis The root cause is improper input validation for specific HTTP requests processed by the WebDialer service. An unauthenticated attacker sends a crafted HTTP request to an affected device, and the flawed validation lets that request trigger SSRF behavior, coercing the server into making requests the attacker controls. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N) tells the story: network-reachable, low complexity, no privileges or user interaction, a changed scope, and a high integrity impact, which reflects the ability to write files rather than merely read data. That file-write capability is what elevates the real-world severity beyond the 8.6 score. According to researchers analyzing the public PoC, the SSRF primitive can be used to write malicious files to sensitive locations on disk. Those files can subsequently be executed or used to manipulate system processes, providing the stepping stone Cisco describes for elevating privileges to root. In other words, a single crafted request is the entry point to a chain that ends in full system control. One important constraint: exploitation requires the WebDialer service to be running. WebDialer is disabled by default, so a stock installation is not immediately vulnerable, but the service is commonly enabled in enterprise click-to-call deployments, which is exactly where the exposure concentrates. Exploitation Status At disclosure, Cisco's PSIRT confirmed it is aware of publicly available proof-of-concept exploit code for CVE-2026-20230 but had not yet found evidence of active exploitation or targeting in the wild. That gap rarely lasts. Reporting on the released PoC notes it demonstrates SSRF-based file-writing, the precise behavior an attacker would weaponize for persistence or escalation, which makes internet-facing or loosely segmented Unified CM systems a likely near-term target. Treat the published PoC as a countdown rather than a reassurance. Am I Affected? You are potentially affected if you run Unified CM or Unified CM SME with the WebDialer service enabled. To check the service status, log in to the Cisco Unified CM Administration interface, open Cisco Unified Serviceability, and review the Cisco WebDialer Web Service under Control Center - Feature Services. If the service shows as Started, the system should be considered vulnerable until patched. Affected Versions & Fixes ProductConditionResolution Unified CM / SMEWebDialer enabledUpgrade to a fixed release: 14SU6 or 15SU5 (or apply the Cisco-provided COP file) Unified CM / SMEWebDialer disabledNot exploitable in this state; still patch on your normal cycle Cisco notes there are no workarounds that fully address the vulnerability. Disabling WebDialer is an effective mitigation, not a fix, and the durable resolution is to move to a patched maintenance release. Mitigation & Remediation Priority order, drawn from the Cisco security advisory (cisco-sa-cucm-ssrf-cXPnHcW): Patch to a fixed release. Install Cisco Unified CM 14SU6 or 15SU5, or apply the COP (Cisco Options Package) patch where a full maintenance upgrade is not yet practical. This is the only complete fix. Disable WebDialer if you cannot patch immediately. In Unified CM Administration, choose Cisco Unified Serviceability from the Navigation menu, open Tools, then Service Activation, and under CTI Services uncheck Cisco WebDialer Web Service and save. This blocks the attack path until the patch is applied. Restrict network exposure. Ensure Unified CM management and service interfaces are not reachable from untrusted networks, and place them behind segmentation and access controls. Monitor for abuse. Watch for anomalous HTTP requests to WebDialer endpoints, unexpected outbound requests originating from the Unified CM host (a hallmark of SSRF), and new or modified files in sensitive locations. The Bigger Picture CVE-2026-20230 continues a run of serious Unified CM issues. In January 2026, Cisco fixed a separate critical Unified CM flaw, CVE-2026-20045, that was exploited as a zero-day in remote code execution attacks, and the platform has seen recurring problems around static credentials and input validation. The pattern is a reminder that communications infrastructure deserves the same patch discipline, segmentation, and monitoring as any internet-adjacent application. When a single unauthenticated request can write files on a call-control server, the distance from that server to the rest of the environment is shorter than it looks. References Cisco Security Advisory - cisco-sa-cucm-ssrf-cXPnHcW NVD - CVE-2026-20230 BleepingComputer - Cisco Warns of Critical Unified CM Flaw with PoC GBHackers - PoC Exploit Released for Cisco Unified CM Cybersecurity News - Unified CM Vulnerability Exposed with PoC The Hacker Wire - Unauthenticated SSRF to Root Privilege Escalation

Indicators of Compromise

• cve — CVE-2026-20230

Entities