CVE-2026-20230: Cisco Unified CM SSRF Flaw Enables Root Privilege Escalation
CVE-2026-20230 is a critical-rated SSRF vulnerability in Cisco Unified Communications Manager that lets an unauthenticated remote attacker write files to the OS and escalate privileges to root via the WebDialer service.
TL;DR
- CVE-2026-20230 is a server-side request forgery (SSRF / CWE-918) flaw in Cisco Unified Communications Manager (Unified CM) and Unified CM SME.
- CVSS base score is 8.6 (High), but Cisco escalated the Security Impact Rating to Critical because exploitation can result in root-level privilege escalation.
- Attack requires no authentication, no user interaction, and is reachable over the network - but only when the WebDialer service is enabled (it is disabled by default).
- No confirmed in-the-wild exploitation and not listed in the CISA KEV catalog at the time of writing.
- Immediate action: disable WebDialer if unused, and follow the Cisco Security Advisory for official patch guidance.
What is CVE-2026-20230?
CVE-2026-20230 is a server-side request forgery vulnerability affecting Cisco Unified Communications Manager. Because the application fails to properly validate specific HTTP requests, an unauthenticated remote attacker can send a crafted request that forces the server to write attacker-controlled files to the underlying operating system, creating a path to full root access.
SSRF (CWE-918) flaws trick a server into making or processing requests on behalf of an attacker. What makes CVE-2026-20230 particularly dangerous beyond a typical SSRF is the chained impact: the file-write primitive the attacker gains can be weaponized in a follow-on step to elevate privileges to root on the host OS, far exceeding what the integrity-only CVSS score implies.
Who is affected?
The vulnerability affects the following Cisco products:
- Cisco Unified Communications Manager (Unified CM) - all versions subject to advisory scope
- Cisco Unified Communications Manager Session Management Edition (Unified CM SME) - all versions subject to advisory scope
Exposure is conditional: the WebDialer service must be enabled on the affected instance. Because WebDialer ships disabled by default, organizations that have never activated it have a significantly reduced attack surface. Any deployment that has turned WebDialer on - commonly done to support click-to-call browser integrations - should treat this as an urgent finding.
How severe is it?
The CVSS 3.1 base score is 8.6, derived from the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N. Breaking that down:
| Metric | Value | Meaning |
|---|---|---|
| Attack Vector | Network | Exploitable remotely over the internet |
| Attack Complexity | Low | No special conditions required |
| Privileges Required | None | Fully unauthenticated |
| User Interaction | None | No victim action needed |
| Scope | Changed | Impact crosses the application security boundary |
| Confidentiality | None | No direct data exposure |
| Integrity | High | Attacker can write files to the OS |
| Availability | None | Service disruption is not the primary risk |
Despite the CVSS score falling in the High band, Cisco explicitly assigned a Critical Security Impact Rating. The reason: the OS-level file write capability feeds a privilege escalation chain to root. An attacker with root on a Unified CM host can intercept call signaling, harvest credentials, pivot into adjacent network segments, or establish persistent access - impacts that dwarf the score's narrow integrity metric.
Is it being exploited?
CVE-2026-20230 is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, and no confirmed public in-the-wild exploitation has been reported at the time of writing. However, the combination of a network-accessible attack vector, no authentication requirement, and a root escalation outcome makes this a high-value target. Threat actors routinely develop working exploits for unauthenticated Cisco UCM vulnerabilities within weeks of public disclosure. Organizations should not wait for KEV listing before remediating.
How to fix and mitigate it
-
Apply the vendor patch. Consult the Cisco Security Advisory for CVE-2026-20230 for the specific fixed software versions applicable to your release train. Do not rely on version numbers from third-party sources.
-
Disable WebDialer if it is not operationally required. This eliminates the attack prerequisite entirely. In Cisco Unified CM Administration:
Navigate to: System > Service Parameters Select the affected server and the Cisco WebDialer Web Service Set "Enable WebDialer" to False Restart the Cisco WebDialer Web Service -
Restrict network access to Unified CM management and service interfaces. Use perimeter firewalls and internal network ACLs to allow only authorized clients to reach Unified CM HTTP/HTTPS ports (typically 8080/8443). Unified CM should never be directly reachable from untrusted networks.
-
Audit service enablement across all cluster nodes. In multi-node Unified CM clusters, verify the WebDialer service status on every subscriber and publisher node - not just the primary.
-
Enable intrusion detection on HTTP traffic destined for Unified CM, tuned to flag unusual outbound connections or unexpected POST request patterns to service endpoints.
How to detect exposure
- Verify WebDialer status via Cisco Unified Serviceability (
Tools > Control Center - Feature Services). IfCisco WebDialer Web Serviceshows as Started, the attack surface is active. - Review Unified CM application logs (
/var/log/active/on the appliance) for unexpected HTTP requests targeting WebDialer endpoints, particularly requests with unusual or external URLs embedded in parameters. - Check for unexpected files written to the OS filesystem since the advisory publication date (2026-06-03). Cisco TAC or a forensic review may be required for thorough analysis.
- Network monitoring: Look for outbound HTTP/HTTPS connections originating from the Unified CM host itself to unexpected external IP addresses - a classic SSRF behavioral indicator.
- SIEM correlation: Alert on Unified CM hosts generating outbound connections on ports 80 or 443 to destinations outside your known infrastructure.
Frequently asked questions
Does CVE-2026-20230 require authentication to exploit?
No. The CVSS vector confirms PR:N (no privileges required) and UI:N (no user interaction). Any unauthenticated remote attacker who can reach the affected device over the network can send the crafted HTTP request needed to trigger the vulnerability.
Is WebDialer enabled by default on Cisco Unified CM?
No. Cisco states that WebDialer is disabled by default. Deployments that have never explicitly enabled the service are not exposed to this attack path, making service inventory checks a fast first triage step for administrators.
Why does Cisco rate this Critical when the CVSS score is only 8.6 High?
Cisco raised the Security Impact Rating to Critical because a successful exploit chains SSRF-driven file writes into a full root privilege escalation on the underlying OS - an impact not fully captured by the base CVSS integrity score alone.
Is CVE-2026-20230 listed in the CISA Known Exploited Vulnerabilities catalog?
No. At the time of writing, CVE-2026-20230 is not listed in the CISA KEV catalog and no confirmed in-the-wild exploitation has been publicly reported. Organizations should still treat it as high-priority given the unauthenticated remote attack vector.
