What is Cisco Unified Communications Manager?
Cisco Unified Communications Manager (Unified CM, also known as CUCM) is the call-processing core of Cisco's enterprise telephony platform, deployed by government agencies, financial institutions, hospitals, and large enterprises to manage IP telephony, voicemail, video conferencing, and unified messaging. Unified CM Session Management Edition (SME) is a specialized variant for large hierarchical telephony deployments. These systems frequently sit at network perimeters, process sensitive communications, and run as trusted appliances — making root-level compromise particularly dangerous for both data interception and lateral network movement.
Overview
CVE-2026-20230 is a server-side request forgery (SSRF) vulnerability in the WebDialer service of Cisco Unified CM and Unified CM SME. An unauthenticated remote attacker can send a crafted HTTP request that causes the server to make internal requests, which can be chained to write arbitrary files to the operating system and escalate to root.
Cisco rated the base CVSS score at 8.6 HIGH, but internally classified its Security Impact Rating as Critical due to the root escalation path. A public proof-of-concept was released two days after the advisory. Active exploitation was confirmed less than 24 hours after the PoC became widely available. CISA added the vulnerability to the KEV catalog on June 25, 2026.
Important: The WebDialer service is disabled by default. Instances where WebDialer has not been enabled are not exploitable via this vulnerability.
Affected Versions
| Product | Fixed Version |
|---|---|
| Cisco Unified CM 14 | 14SU6 |
| Cisco Unified CM 15 | 15SU5 (September 2026) or COP file (available sooner) |
| Cisco Unified CM SME | Aligned with above |
Cisco Bug ID: CSCws67331.
Technical Details
The vulnerability (CWE-918) resides in the WebDialer service, which allows users to initiate phone calls from a web browser. The full exploit chain documented by SSD Secure Disclosure proceeds in four stages:
- SSRF via WebDialer: A crafted HTTP request to the WebDialer endpoint causes the server to make internal requests, including to the internal Apache Axis SOAP service
- File write via Axis: By manipulating the SSRF to interact with Apache Axis, the attacker writes a malicious JSP file into a publicly-accessible Cisco Tomcat web directory
- Remote code execution: The attacker fetches the planted JSP webshell over HTTP, executing arbitrary commands in the Tomcat process context
- Root escalation: Additional steps escalate privileges from the Tomcat service account to full root on the appliance OS
Key attack characteristics:
- No authentication required: Full unauthenticated exploitation from the network
- Scope Changed: The SSRF crosses a security boundary into the internal SOAP service, reflected in the CVSS
S:Ccomponent - Prerequisite: WebDialer must be enabled — it is off by default
- No workaround other than disabling WebDialer: Cisco states there is no other mitigation available
Discovery
Discovered by an independent security researcher working with SSD Secure Disclosure, who is credited in Cisco's advisory. SSD published the full technical write-up and proof-of-concept demonstrating the complete SSRF-to-root chain on June 5, 2026, two days after the Cisco advisory.
Exploitation Context
Active exploitation was confirmed by Defused Cyber on June 24, 2026 — less than 24 hours after the PoC became widely circulated. Observed activity used "genuinely-formatted file:// file-write payloads," consistent with automated scanning exploiting the disclosed technique directly. Horizon3.ai released a NodeZero Rapid Response test for CVE-2026-20230 to help organizations assess their exposure.
The rapid weaponization timeline (advisory June 3 → PoC June 5 → confirmed exploitation June 24) is consistent with opportunistic automated exploitation following a public PoC release. No specific threat actor has been publicly attributed.
Remediation
- Disable WebDialer immediately: If WebDialer is not required for business operations, disable it — this fully eliminates the attack surface for this vulnerability. Navigate to Cisco Unified Serviceability > Tools > Service Activation to check and disable the Cisco WebDialer Web Service
- Apply patches: Upgrade to Unified CM 14SU6 (available now); for Unified CM 15, apply the available COP file as an interim measure, then upgrade to 15SU5 when available
- Audit WebDialer usage before disabling: Determine which users and departments rely on WebDialer and whether it can be permanently decommissioned
- Search for webshells: Inspect Cisco Tomcat web directories for unexpected JSP files placed after June 5, 2026
- Review access logs: Look for anomalous HTTP requests to the WebDialer endpoint, particularly crafted requests containing
file://URIs or SOAP-formatted payloads submitted prior to patching - Network controls: Restrict public internet access to Unified CM management and WebDialer interfaces where possible; telephony infrastructure rarely requires direct internet exposure
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2026-20230 |
| Vendor / Product | Cisco — Unified Communications Manager |
| NVD Published | 2026-06-03 |
| NVD Last Modified | 2026-07-01 |
| CVSS 3.1 Score | 8.6 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N |
| Severity | HIGH |
| CWE | CWE-918 find similar ↗ |
| CISA KEV Added | 2026-06-25 |
| CISA KEV Deadline | 2026-06-28 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2026-06-03 | Cisco advisory published (v1.0); CVE published |
| 2026-06-05 | Public PoC released by SSD Secure Disclosure demonstrating full SSRF-to-root chain |
| 2026-06-24 | Active exploitation confirmed (Defused Cyber) — sub-24-hour weaponization after PoC availability |
| 2026-06-25 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2026-06-28 | CISA BOD 22-01 remediation deadline |
| 2026-07-01 | Cisco advisory updated (v1.1) |
References
| Resource | Type |
|---|---|
| Cisco Security Advisory — cisco-sa-cucm-ssrf-cXPnHcW | Vendor Advisory |
| NVD — CVE-2026-20230 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Horizon3.ai — CVE-2026-20230 Analysis | Security Research |
| BleepingComputer — Cisco Unified CM SME Flaw Now Exploited in Attacks | Security News |
| The Hacker News — Cisco Unified CM Flaw Exploited | Security News |
| Dark Reading — Less Than 24 Hours: Attackers Weaponize Cisco CUCM Flaw | Security News |
| SOCRadar — CVE-2026-20230 Cisco Unified CM WebDialer SSRF | Security Research |