Introduction
An unauthenticated SSRF vulnerability in Cisco Unified Communications Manager allows remote attackers to write arbitrary files to the underlying operating system and ultimately escalate privileges to root. With proof-of-concept code already public and Cisco Unified CM serving over 30 million enterprise users worldwide, this is the second Critical-rated vulnerability to hit the platform in 2026, following a zero-day RCE that was actively exploited earlier this year.
The saving grace is a prerequisite: the WebDialer service must be enabled for exploitation, and it is disabled by default. But for organizations that have turned it on to support click-to-dial workflows, the exposure is severe.
Technical Information
Root Cause: Improper Input Validation in WebDialer HTTP Handling
CVE-2026-20230 is classified under CWE-918: Server-Side Request Forgery (SSRF). The vulnerability exists because the WebDialer service in Cisco Unified CM and Unified CM SME does not properly validate user-supplied input in specific HTTP requests. This allows an attacker to manipulate the server into making requests on their behalf, a classic SSRF pattern where the application acts as an unintended proxy (related to CWE-441: Confused Deputy and CWE-610: Externally Controlled Reference to a Resource in Another Sphere).
SSRF is listed as A10:2021 in the OWASP Top 10 and has been a component of several high-profile exploitation chains, including CVE-2021-26855 (the Microsoft Exchange Server SSRF used in the Hafnium campaign).
CVSS Vector Breakdown
The CVSS 3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N, which breaks down as follows:
| Component | Value | Interpretation |
|---|---|---|
| Attack Vector | Network | Exploitable remotely |
| Attack Complexity | Low | No specialized conditions |
| Privileges Required | None | No authentication needed |
| User Interaction | None | No user action required |
| Scope | Changed | Impact crosses security boundary |
| Confidentiality | None | No direct data disclosure |
| Integrity | High | Complete integrity compromise |
| Availability | None | No direct availability impact |
The "Scope: Changed" designation is particularly important. It indicates that the vulnerability in the WebDialer component allows the attacker to affect resources beyond the vulnerable component's own security scope, specifically the underlying operating system.
Exploitation Flow
The attack proceeds through the following stages:
-
Reconnaissance: The attacker identifies a Cisco Unified CM or Unified CM SME instance with the WebDialer service enabled and accessible over the network.
-
Crafted HTTP Request: The attacker sends a specially crafted HTTP request to the web-based management interface of the affected device. The request exploits the improper input validation in the WebDialer service to trigger an SSRF action.
-
File Write via SSRF: The server processes the attacker-controlled request and, through the SSRF mechanism, writes files to the underlying operating system. This is notable because it goes beyond typical SSRF scenarios that involve information disclosure or internal network scanning; here, the SSRF enables direct file system manipulation.
-
Privilege Escalation to Root: The files written to the OS in the previous step are then used to elevate privileges to root. Cisco's advisory explicitly states that "exploitation of this vulnerability could result in an attacker elevating privileges to root," which is why they overrode the CVSS-derived "High" severity to assign a "Critical" Security Impact Rating.
Why Cisco Elevated the Severity
A CVSS 3.1 base score of 8.6 normally maps to a "High" severity rating. Cisco explicitly overrode this to assign a "Critical" SIR. The rationale is straightforward: the CVSS model captures the integrity impact of the SSRF itself (file writes), but the downstream consequence of root privilege escalation on a telephony platform that may serve thousands of endpoints represents a more severe real-world impact than the numerical score conveys. Organizations should triage based on the Critical SIR, not the 8.6 score alone.
The WebDialer Prerequisite
The WebDialer service must be enabled for exploitation to succeed. WebDialer provides click-to-dial functionality from web applications and is disabled by default in Cisco Unified CM deployments. This prerequisite creates an interesting risk profile: it substantially reduces the total vulnerable population, but the organizations that have enabled WebDialer tend to be larger enterprises with more complex telephony environments, meaning the subset of vulnerable deployments may represent disproportionately high-value targets.
Affected Systems and Versions
The following products and releases are confirmed vulnerable:
| Product | Vulnerable Release | First Fixed Release |
|---|---|---|
| Cisco Unified Communications Manager (Unified CM) | Release 14 | 14SU6 |
| Cisco Unified Communications Manager (Unified CM) | Release 15 | 15SU5 (September 2026) or COP patch |
| Cisco Unified CM Session Management Edition (Unified CM SME) | Release 14 | 14SU6 |
| Cisco Unified CM Session Management Edition (Unified CM SME) | Release 15 | 15SU5 (September 2026) or COP patch |
The vulnerability is only exploitable when the WebDialer service is enabled. WebDialer is disabled by default. The associated Cisco Bug ID is CSCws67331.
Products not listed in the "Vulnerable Products" section of the Cisco advisory are not known to be affected.
Vendor Security History
Cisco Unified CM has experienced a pattern of critical vulnerabilities in 2026 that warrants attention:
CVE-2026-20045 (January 2026): A critical Remote Code Execution vulnerability (CVSS 8.2) affecting Cisco Unified CM, Unified CM SME, Unified CM IM and Presence Service, Unity Connection, and Webex Calling Dedicated Instance. This vulnerability was actively exploited as a zero-day before Cisco released patches on January 21, 2026. Like CVE-2026-20230, it stemmed from improper validation of user-supplied input in HTTP requests to the web-based management interface and allowed root privilege escalation.
The parallels between these two vulnerabilities are striking:
| Dimension | CVE-2026-20230 | CVE-2026-20045 |
|---|---|---|
| Vulnerability Class | SSRF (CWE-918) | RCE (Code Injection) |
| CVSS 3.1 Score | 8.6 | 8.2 |
| Cisco SIR | Critical | Critical |
| Authentication Required | None | None |
| Service Prerequisite | WebDialer enabled | None |
| Active Exploitation | PoC available; no malicious use confirmed | Confirmed zero-day exploitation |
| Root Escalation | Yes (indirect via file write) | Yes (direct) |
Both vulnerabilities arise from improper input validation of HTTP requests to web-based interfaces, suggesting a systemic pattern in the Unified CM codebase rather than isolated defects. Organizations should anticipate further vulnerabilities in this attack surface and implement compensating controls that provide protection beyond individual CVE patches.
References
- Cisco Security Advisory: cisco-sa-cucm-ssrf-cXPnHcW
- NVD: CVE-2026-20230
- CWE-918: Server-Side Request Forgery (SSRF)
- OWASP Top 10 A10:2021 Server-Side Request Forgery
- OWASP SSRF Prevention Cheat Sheet
- Cisco Unified CM Security Advisories List
- NVD: CVE-2026-20045
- CISA Known Exploited Vulnerabilities Catalog
- Proofpoint: 2026 Vulnerability Exploitation in the Wild
- Recorded Future: January 2026 CVE Landscape
- Unified Communications Market Size Report



