Cisco has disclosed a critical Server-Side Request Forgery (SSRF) vulnerability in its Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (SME), warning that successful exploitation could allow unauthenticated remote attackers to gain root-level privileges on affected systems without any prior authentication.
Tracked as CVE-2026-20230 under advisory ID cisco-sa-cucm-ssrf-cXPnHcW, the flaw carries a CVSS base score of 8.6 (Critical) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N.
Cisco elevated the Security Impact Rating (SIR) to Critical beyond what the numeric score alone indicates, specifically because successful exploitation can result in full root privilege escalation on the underlying operating system.
Classified under CWE-918 (Server-Side Request Forgery), the vulnerability stems from improper input validation for specific HTTP requests within the platform.
An attacker can exploit this flaw by sending a specially crafted HTTP request to a vulnerable device. This causes the system to write arbitrary files to the underlying operating system.
These files can then be leveraged in a chained follow-up attack to escalate privileges to root effectively handing the attacker full system control with no authentication required.
A critical prerequisite for exploitation is that the Cisco WebDialer service must be running on the target system. Since WebDialer is disabled by default, organizations that have never enabled it are not exposed.
However, enterprise telephony environments commonly enable this feature to support click-to-dial functionality, making it a realistic and widely present attack surface in production deployments.
Cisco’s Product Security Incident Response Team (PSIRT) has confirmed that proof-of-concept (PoC) exploit code is publicly available, significantly raising the risk of active exploitation in the wild.
Affected Products and Fixed Versions
Both Cisco Unified CM and Unified CM SME are affected when the WebDialer service is enabled. Cisco has released version-specific patches:
- Release 14: Upgrade to 14SU6
- Release 15: Upgrade to 15SU5 (expected September 2026) or apply the available COP1 patch
Administrators should consult the README file accompanying each patch for deployment-specific guidance before proceeding.
Mitigation Steps
Cisco has confirmed there are no full workarounds that completely remediate the vulnerability. However, organizations can reduce exposure by disabling the WebDialer service using the following steps:
- Navigate to Cisco Unified Serviceability → Tools → Service Activation
- Uncheck Cisco WebDialer Web Service
- Save the configuration
Cisco strongly advises evaluating the operational impact of disabling WebDialer before applying this mitigation in production environments, as it will affect end-user click-to-dial functionality.
Given the publicly available working PoC exploit code and the severe potential impact of a root-level system compromise, organizations running Cisco Unified CM should treat this as a high-priority patching emergency.
Security teams should audit whether WebDialer is enabled across their deployments, apply available patches immediately, and monitor for any signs of exploitation activity targeting their Unified CM infrastructure.
No Comment! Be the first one.