Cisco Unified CM critical SSRF CVE-2026-20230 lets unauthenticated attackers write files and escalate to root - public PoC, WebDialer required
Cisco has patched CVE-2026-20230, a critical server-side request forgery flaw in Unified Communications Manager (formerly CallManager), the central control system for Cisco IP telephony. An unauthenticated remote attacker can send a crafted HTTP request to write files to the underlying OS and later elevate to root - Cisco rated it Critical despite the CVSS score because of that root-escalation potential. Cisco's PSIRT is aware of public proof-of-concept exploit code but has not seen active exploitation yet. The flaw only affects systems with the WebDialer service enabled, which is off by default. There are no workarounds; admins should upgrade to 14SU6 or 15SU5, or disable WebDialer until patched.
- Check
- Inventory Cisco Unified CM deployments and check whether WebDialer is enabled (Tools > Service Activation > CTI Services). Confirm version against fixed 14SU6 or 15SU5. Monitor for crafted HTTP requests.
- Affected
- Cisco Unified CM systems with the WebDialer service enabled (off by default). CVE-2026-20230 allows unauthenticated SSRF to write files and escalate to root. Public PoC exists; no active exploitation yet.
- Fix
- Upgrade to Unified CM 14SU6 or 15SU5. If patching must wait, disable the Cisco WebDialer Web Service via Service Activation to block exploitation. No other workaround exists.