Pierluigi Paganini
June 24, 2026
Cisco Unified Communications Manager has a serious vulnerability, tracked as CVE-2026-20230 (CVSS score of 8.6), that attackers are already exploiting. The flaw, caused by improper validation of certain HTTP requests, allows a remote attacker without authentication to perform server-side request forgery (SSRF) attacks. Early June, Cisco warned that public PoC code is available and that successful exploitation could allow attackers to write files that may later be used to gain root privileges.
This makes affected systems high risk if exposed. Be careful.
“This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device.” reads the advisory. “A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root.”
Cisco rated this advisory as Critical instead of High because successful exploitation could allow an attacker to escalate privileges to root. However, the risk depends on configuration: the vulnerability can only be exploited if the WebDialer service is enabled, which is disabled by default on affected systems.
There is no full workaround for this vulnerability. The networking giant recommends mitigating risk by disabling the WebDialer service until a patch is applied. Administrators can do this through the Unified CM Administration interface by going to Unified Serviceability, opening Service Activation under Tools, and unchecking the WebDialer Web Service option in the CTI Services section before saving the changes.
Below are the fixed releases:
| Cisco Unified CM and Unified CM SME Release | First Fixed Release |
|---|---|
| 14 | 14SU6 |
| 15 | 15SU5 (Sep 2026) or COP1 |
The company confirms that PoC exploit code for the vulnerability is publicly available. However, the PSIRT is not aware of attacks in the wild exploiting this issue.
This week, Defused Cyber researchers confirmed it observed active exploitation of the issue in attacks in the wild.
“Over the weekend we observed exploitation of CVE-2026-20230 – Cisco Unified CM (CUCM) WebDialer SSRF → root file-write (CVSS 8.6)” the researchers wrote on X. “No previously recorded exploitation, and not yet listed in CISA KEV.
This is currently being exploited from a single source using an unvetted PoC, with genuinely-formatted file:// file-write payloads landing on our decoys. Track Cisco CUCM exploitation”
At this time, Cisco PSIRT has yet to confirm active exploitation of the flaw.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CVE-2026-20230)
