CVE: CVE-2026-20230 | CVSS 3.1: 8.6 (HIGH) | Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N | CWE: CWE-918 | Vendor: Cisco | Product: Unified Communications Manager (Unified CM) and Unified CM Session Management Edition
What Is the Vulnerability
Cisco Unified Communications Manager (Unified CM) contains a server-side request forgery (SSRF) vulnerability. An unauthenticated remote attacker can send a specially crafted HTTP request to the WebDialer service that allows them to write arbitrary files to the underlying operating system, ultimately achieving root-level code execution on the VoIP platform.
The vulnerability exists because Unified CM does not properly validate HTTP requests sent to the WebDialer component. By crafting a malicious request, an attacker can exploit the SSRF to interact with internal services and write files to the filesystem. These files can then be leveraged to execute arbitrary commands as root. The prerequisite for exploitation is that WebDialer must be enabled — this feature is disabled by default but is commonly enabled by organisations that use click-to-call functionality from web and desktop applications.
This is a critical enterprise VoIP vulnerability. Unified CM processes telephony for organisations globally — compromise of the platform could enable call interception, eavesdropping, toll fraud, and lateral movement into the wider enterprise network.
Versions Affected
- Cisco Unified Communications Manager (Unified CM) — versions prior to the patched release (see Cisco advisory cisco-sa-cucm-ssrf-cXPnHcW for specific version ranges)
- Cisco Unified Communications Manager Session Management Edition (Unified CM SME) — versions prior to the patched release
Only deployments where WebDialer is enabled are vulnerable. WebDialer is disabled by default. Organisations that have enabled WebDialer for click-to-call functionality should assume exposure.
Exploited?
YES — Actively exploited in the wild. Security firm Defused reports active exploitation since the weekend of June 21–22, 2026. Cisco has not yet confirmed active exploitation — the vendor’s advisory (published June 3) stated that public proof-of-concept exploit code was available but that Cisco was not aware of active exploitation at the time. Defused’s report represents the first credible claim of in-the-wild exploitation. CISA has not yet added this CVE to the KEV catalog, but the active exploitation report, if confirmed, would likely trigger a BOD 26-04 KEV listing with a 3-day remediation deadline.
Organisations with internet-facing Cisco Unified CM deployments where WebDialer is enabled should assume they are at immediate risk of exploitation.
Fix
Cisco released a security patch for this vulnerability on June 3, 2026 — nearly three weeks before active exploitation was reported. Apply the patch immediately.
- Primary fix: Apply the Cisco security update per Cisco Security Advisory cisco-sa-cucm-ssrf-cXPnHcW.
- Workaround: If immediate patching is not possible, disable the WebDialer feature. WebDialer is not required for core telephony functionality — it only enables click-to-call from web and desktop applications.
- Access control: Restrict network access to Unified CM administrative and WebDialer interfaces to trusted IP ranges only.
Recommendations
- Patch immediately. The Cisco advisory has been available since June 3 — organisations that have not yet patched are now three weeks behind on a vulnerability with public exploit code and active exploitation.
- Disable WebDialer if it is not operationally required. This eliminates the attack surface entirely.
- Audit Unified CM access logs. Review logs for unexpected HTTP requests targeting WebDialer endpoints, particularly from external IP addresses.
- Network segmentation. Ensure Unified CM management interfaces are not directly exposed to the internet. Place VoIP infrastructure behind firewalls with strict access control lists.
- Monitor for CISA KEV addition. If CISA adds this CVE to the KEV catalog, a 3-day BOD 26-04 remediation deadline will apply. Proactive patching now avoids a compressed compliance window.
- Check for file system indicators. Look for unexpected files in Unified CM’s filesystem, particularly in directories writable by the web service account.
References
- Cisco Security Advisory cisco-sa-cucm-ssrf-cXPnHcW (Vendor Advisory)
- NVD Entry for CVE-2026-20230
- Security.nl: Kritiek lek in Cisco Unified Communications Manager misbruikt bij aanvallen (Dutch Security News)
- CISA KEV Catalog (monitor for addition)
Part of the Vulnerability Intelligence series on threat-modeling.com. Active exploitation reported by Defused. CISA KEV status is pending confirmation. See the June 25, 2026 Vulnerability Intelligence Report for broader context.
