ZeroPath at Black Hat USA 2026

Cisco Unified Communications Manager CVE-2026-20230: Critical SSRF Leading to Root Privilege Escalation

A brief summary of CVE-2026-20230, a critical SSRF vulnerability in Cisco Unified Communications Manager that enables unauthenticated file writes and root privilege escalation when the WebDialer service is enabled.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-03

Cisco Unified Communications Manager CVE-2026-20230: Critical SSRF Leading to Root Privilege Escalation
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An unauthenticated SSRF vulnerability in Cisco Unified Communications Manager allows remote attackers to write arbitrary files to the underlying operating system and ultimately escalate privileges to root. With proof-of-concept code already public and Cisco Unified CM serving over 30 million enterprise users worldwide, this is the second Critical-rated vulnerability to hit the platform in 2026, following a zero-day RCE that was actively exploited earlier this year.

The saving grace is a prerequisite: the WebDialer service must be enabled for exploitation, and it is disabled by default. But for organizations that have turned it on to support click-to-dial workflows, the exposure is severe.

Technical Information

Root Cause: Improper Input Validation in WebDialer HTTP Handling

CVE-2026-20230 is classified under CWE-918: Server-Side Request Forgery (SSRF). The vulnerability exists because the WebDialer service in Cisco Unified CM and Unified CM SME does not properly validate user-supplied input in specific HTTP requests. This allows an attacker to manipulate the server into making requests on their behalf, a classic SSRF pattern where the application acts as an unintended proxy (related to CWE-441: Confused Deputy and CWE-610: Externally Controlled Reference to a Resource in Another Sphere).

SSRF is listed as A10:2021 in the OWASP Top 10 and has been a component of several high-profile exploitation chains, including CVE-2021-26855 (the Microsoft Exchange Server SSRF used in the Hafnium campaign).

CVSS Vector Breakdown

The CVSS 3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N, which breaks down as follows:

ComponentValueInterpretation
Attack VectorNetworkExploitable remotely
Attack ComplexityLowNo specialized conditions
Privileges RequiredNoneNo authentication needed
User InteractionNoneNo user action required
ScopeChangedImpact crosses security boundary
ConfidentialityNoneNo direct data disclosure
IntegrityHighComplete integrity compromise
AvailabilityNoneNo direct availability impact

The "Scope: Changed" designation is particularly important. It indicates that the vulnerability in the WebDialer component allows the attacker to affect resources beyond the vulnerable component's own security scope, specifically the underlying operating system.

Exploitation Flow

The attack proceeds through the following stages:

  1. Reconnaissance: The attacker identifies a Cisco Unified CM or Unified CM SME instance with the WebDialer service enabled and accessible over the network.

  2. Crafted HTTP Request: The attacker sends a specially crafted HTTP request to the web-based management interface of the affected device. The request exploits the improper input validation in the WebDialer service to trigger an SSRF action.

  3. File Write via SSRF: The server processes the attacker-controlled request and, through the SSRF mechanism, writes files to the underlying operating system. This is notable because it goes beyond typical SSRF scenarios that involve information disclosure or internal network scanning; here, the SSRF enables direct file system manipulation.

  4. Privilege Escalation to Root: The files written to the OS in the previous step are then used to elevate privileges to root. Cisco's advisory explicitly states that "exploitation of this vulnerability could result in an attacker elevating privileges to root," which is why they overrode the CVSS-derived "High" severity to assign a "Critical" Security Impact Rating.

Why Cisco Elevated the Severity

A CVSS 3.1 base score of 8.6 normally maps to a "High" severity rating. Cisco explicitly overrode this to assign a "Critical" SIR. The rationale is straightforward: the CVSS model captures the integrity impact of the SSRF itself (file writes), but the downstream consequence of root privilege escalation on a telephony platform that may serve thousands of endpoints represents a more severe real-world impact than the numerical score conveys. Organizations should triage based on the Critical SIR, not the 8.6 score alone.

The WebDialer Prerequisite

The WebDialer service must be enabled for exploitation to succeed. WebDialer provides click-to-dial functionality from web applications and is disabled by default in Cisco Unified CM deployments. This prerequisite creates an interesting risk profile: it substantially reduces the total vulnerable population, but the organizations that have enabled WebDialer tend to be larger enterprises with more complex telephony environments, meaning the subset of vulnerable deployments may represent disproportionately high-value targets.

Affected Systems and Versions

The following products and releases are confirmed vulnerable:

ProductVulnerable ReleaseFirst Fixed Release
Cisco Unified Communications Manager (Unified CM)Release 1414SU6
Cisco Unified Communications Manager (Unified CM)Release 1515SU5 (September 2026) or COP patch
Cisco Unified CM Session Management Edition (Unified CM SME)Release 1414SU6
Cisco Unified CM Session Management Edition (Unified CM SME)Release 1515SU5 (September 2026) or COP patch

The vulnerability is only exploitable when the WebDialer service is enabled. WebDialer is disabled by default. The associated Cisco Bug ID is CSCws67331.

Products not listed in the "Vulnerable Products" section of the Cisco advisory are not known to be affected.

Vendor Security History

Cisco Unified CM has experienced a pattern of critical vulnerabilities in 2026 that warrants attention:

CVE-2026-20045 (January 2026): A critical Remote Code Execution vulnerability (CVSS 8.2) affecting Cisco Unified CM, Unified CM SME, Unified CM IM and Presence Service, Unity Connection, and Webex Calling Dedicated Instance. This vulnerability was actively exploited as a zero-day before Cisco released patches on January 21, 2026. Like CVE-2026-20230, it stemmed from improper validation of user-supplied input in HTTP requests to the web-based management interface and allowed root privilege escalation.

The parallels between these two vulnerabilities are striking:

DimensionCVE-2026-20230CVE-2026-20045
Vulnerability ClassSSRF (CWE-918)RCE (Code Injection)
CVSS 3.1 Score8.68.2
Cisco SIRCriticalCritical
Authentication RequiredNoneNone
Service PrerequisiteWebDialer enabledNone
Active ExploitationPoC available; no malicious use confirmedConfirmed zero-day exploitation
Root EscalationYes (indirect via file write)Yes (direct)

Both vulnerabilities arise from improper input validation of HTTP requests to web-based interfaces, suggesting a systemic pattern in the Unified CM codebase rather than isolated defects. Organizations should anticipate further vulnerabilities in this attack surface and implement compensating controls that provide protection beyond individual CVE patches.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization