Cisco has patched a server-side request forgery flaw in Unified Communications Manager that hands an unauthenticated network attacker a path to root. Tracked as CVE-2026-20230, the bug was disclosed on June 3 in advisory cisco-sa-cucm-ssrf-cXPnHcW, and proof-of-concept exploit code is already public. Cisco’s PSIRT says it has not seen the flaw used in attacks — but a published PoC against enterprise voice infrastructure shortens that timeline considerably.

What happened

The vulnerability sits in Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (Unified CM SME). Both fail to properly validate certain HTTP requests, so a crafted request can coerce the server into making requests it shouldn’t — classic SSRF (CWE-918). The dangerous part is the secondary effect: a successful exploit lets the attacker write arbitrary files to the underlying operating system, and those files become the foothold for escalating to root.

No authentication is required. The attack is network-reachable, low-complexity, and needs no user interaction.

Why the score and the rating disagree

CVE-2026-20230 carries a CVSS 3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N). That vector scores only the file write — an integrity-only impact, with no confidentiality or availability loss. It does not account for the root escalation that the file write enables.

Cisco assigned the advisory a Security Impact Rating of Critical anyway, explicitly because the end state is full root on the box. Treat this as a critical, not a high. The arithmetic undersells it.

The one mitigating factor: WebDialer

Exploitation only works when the Cisco WebDialer Web Service is running. WebDialer ships disabled by default, so a stock deployment is not exposed — but plenty of click-to-dial integrations turn it on, and those deployments are fully in scope.

To check whether you’re exposed:

  1. Log in to Cisco Unified CM Administration.
  2. From the Navigation menu, choose Cisco Unified Serviceability and click Go.
  3. Open Tools > Control Center - Feature Services.
  4. In the CTI Services section, look at the Cisco WebDialer Web Service status. Started means you’re vulnerable.

Affected versions and fixes

There are no workarounds that fix the flaw. Patching is the only real remediation:

  • 14 train: fixed in 14SU6 — available now.
  • 15 train: the full Service Update 15SU5 is not due until September 2026. Until then you’re on the interim COP patch (COP1).

If you can’t patch the 15 train immediately, disable WebDialer as a mitigation: Cisco Unified Serviceability > Tools > Service Activation, uncheck Cisco WebDialer Web Service in the CTI Services section, and save. Validate the impact on click-to-dial functionality in your environment first.

Impact assessment

Unified CM is the call-control brain of most enterprise Cisco voice deployments. Root on that host means control of telephony routing, access to call metadata and configuration, and a deep pivot point inside the voice VLAN — which is frequently adjacent to far more than just phones. An unauthenticated attacker who can reach the web interface and find WebDialer enabled can go from zero to root without a credential.

This fits a pattern. Unified CM has been a recurring source of unauthenticated, root-level trouble: Cisco pulled a hard-coded root SSH account (CVE-2025-20309, CVSS 10) in July 2025, and patched an actively exploited unauthenticated RCE across its voice products (CVE-2026-20045) in January 2026 — that one landed in CISA’s KEV catalog.

What to do right now

Check WebDialer status on every Unified CM and Unified CM SME node. If it’s Started, you have a public-PoC, unauthenticated-to-root bug live in your environment. Patch to 14SU6 or apply COP1 on the 15 train immediately; if you can’t, disable WebDialer until you can. And confirm your Unified CM administrative and CTI interfaces are not reachable from untrusted networks — voice infrastructure should never be exposed to the internet, and segmentation buys you time the September 15SU5 timeline doesn’t.

References