Cisco patches Unified CM SSRF after PoC exploit appears

Cisco has issued patches for a server-side request forgery vulnerability tracked as CVE-2026-20230 in Unified Communications Manager after proof-of-concept exploit code became public. The flaw can let an unauthenticated actor on the network write files to the system and then escalate to root privileges when the Cisco WebDialer service is active.

The issue stems from Unified CM and its Session Management Edition failing to validate certain HTTP requests. Crafted requests can cause the server to write arbitrary files to the underlying operating system; those files can be used as a foothold for privilege escalation to root. The vulnerability carries a CVSS base score of 8.6, which reflects the integrity impact of file writes. Cisco’s Product Security Incident Response Team (PSIRT) noted that the advisory was classified as Critical because successful exploitation can result in full root access. PSIRT wrote, “We have not seen the flaw used in attacks yet,” and warned that the availability of public proof-of-concept code reduces the time defenders have to respond.

Only deployments with the Cisco WebDialer Web Service running are vulnerable. WebDialer is disabled by default but is commonly enabled by administrators. To check exposure, open Cisco Unified CM Administration, switch to Cisco Unified Serviceability, select Tools then Control Center – Feature Services, and view the Cisco WebDialer Web Service status under CTI Services. A status of Started indicates the service is running and the system is exposed. As an interim mitigation, WebDialer can be disabled under Tools then Service Activation by unchecking the service and saving changes.

Cisco published fixes for affected release trains. The 14 train is remediated in 14SU6. For the 15 train, the complete Service Update 15SU5 is scheduled for September 2026; until that release Cisco published an interim COP patch for affected 15-train systems or administrators may disable WebDialer to reduce exposure. The vulnerability was reported by an independent researcher working with SSD Secure Disclosure.

Unified CM has had recent high-severity issues. In July Cisco removed a hard-coded root SSH account tracked as CVE-2025-20309. In January Cisco patched an unauthenticated remote code execution flaw across several voice products, CVE-2026-20045, which had been observed in active exploitation and was added to the U.S. Cybersecurity and Infrastructure Security Agency’s known-exploited vulnerabilities list.

Cisco advises applying the published fixes and reviewing WebDialer status in Unified Serviceability. The company also provided an interim COP patch for 15-train users until 15SU5 is released.