Cisco has disclosed and patched CVE-2026-20230, a critical SSRF vulnerability affecting Cisco Unified Communications Manager and Unified CM SME when the WebDialer service is enabled. The flaw has a CVSS score of 8.6, can be exploited remotely without authentication, and may allow attackers to write files to the underlying operating system, creating a potential path to root-level compromise.
Public PoC code is available, and third-party reporting indicates exploitation attempts were observed in late June 2026.
Details from Cisco are available here.
Vulnerability Overview
CVE-2026-20230 affects Cisco Unified CM and Unified CM SME deployments where the Cisco WebDialer Web Service is enabled. WebDialer supports click-to-call functionality and is disabled by default, but it may be enabled in enterprise environments that rely on integrated calling workflows.
The vulnerability stems from improper validation of specific HTTP requests. By sending a crafted request, an unauthenticated attacker may abuse the vulnerable service to write files to the operating system. This makes the issue more severe than a typical SSRF flaw, as successful exploitation could support follow-on privilege escalation and possible root-level access.
Affected Products and Fixed Versions
The vulnerability affects Cisco Unified CM and Cisco Unified CM SME when WebDialer is enabled. Based on Cisco’s advisory, the relevant fixed releases are:
| Product / Release Train | First Fixed Release |
| Cisco Unified CM / Unified CM SME Release 14 | 14SU6 |
| Cisco Unified CM / Unified CM SME Release 15 | 15SU5, expected September 2026, or a version-specific COP patch |
Cisco notes that COP patches are version-specific, so administrators should carefully review the README and apply the correct package for their exact deployment. For Release 15 environments where 15SU5 is not yet available, the COP patch is the immediate remediation path.
Administrators should also confirm whether WebDialer is enabled. In Cisco Unified CM Administration, this can be checked by:
- Navigate to Cisco Unified Serviceability > Control Center > Feature Services, and review the Cisco WebDialer Web Service status under CTI Services.
If the status is Started, WebDialer is enabled and the system should be considered exposed if running a vulnerable release.
Exploitation Status
Cisco confirmed that proof-of-concept exploit code was available when the advisory was published. At the time of the original advisory, Cisco stated that it was not aware of malicious exploitation. However, subsequent reporting from independent researchers indicates that exploitation attempts were observed in late June 2026.
The activity reported so far appears to involve a single source attempting to identify vulnerable systems by writing a test file to the target.
Mitigation and Remediation
The primary remediation is to upgrade to a fixed Cisco release or apply the appropriate version-specific COP patch. For Release 14, organizations should upgrade to 14SU6. For Release 15, Cisco lists 15SU5 or a version-specific COP patch while waiting for the full service update.
If immediate patching is not possible, administrators should disable the Cisco WebDialer Web Service if it is not business-critical. Cisco states that disabling WebDialer can be used as a mitigation until a patch is applied, but it should not be treated as a permanent substitute for upgrading to fixed software..
Stay Safe. Stay Secure
OP Innovate Research Team
