Back

Cisco Issues Critical Warning for Unified CM SSRF Vulnerability with PoC Exploit

Severity: High (Score: 74.0)

Sources: cwe.mitre.org, Gbhackers, developer.cisco.com, Techtimes, Bleepingcomputer

Published: 2026-06-04 · Updated: 2026-06-04

Keywords: unified, cisco, exploit, released, communications, manager, critical

Severity indicators: exploit released, exploit code, critical, flaw

Summary

Cisco has identified a critical server-side request forgery (SSRF) vulnerability in its Unified Communications Manager (Unified CM), tracked as CVE-2026-20230. This flaw allows remote attackers to gain root privileges by sending crafted HTTP requests. The vulnerability affects systems where the WebDialer service is enabled, which is disabled by default. Cisco has released patches for affected versions, urging administrators to upgrade to versions 14SU6 or 15SU5. A proof-of-concept (PoC) exploit for this vulnerability was made publicly available, increasing the risk of active exploitation. Cisco's Product Security Incident Response Team (PSIRT) is monitoring the situation but has not confirmed any active attacks. This vulnerability follows a history of critical issues with Unified CM, including a previously exploited zero-day vulnerability (CVE-2026-20045). Security teams have noted that many attacks go undetected, highlighting the importance of vigilance. Key Points: • CVE-2026-20230 is a critical SSRF vulnerability in Cisco Unified CM allowing root access. • A public proof-of-concept exploit has been released, raising the risk of exploitation. • Administrators are advised to patch affected systems or disable the WebDialer service.

Detailed Analysis

**Impact** Organizations using Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (SME) with the WebDialer service enabled are affected. The vulnerability allows remote attackers to gain root privileges, potentially compromising telephony infrastructure critical for device management and call routing. No specific sectors or geographies are detailed, but the impact spans any enterprise relying on Cisco IP telephony systems. Data at risk includes system files and configurations that could enable persistent root access. **Technical Details** The vulnerability (CVE-2026-20230) is a server-side request forgery (SSRF) flaw exploitable via crafted HTTP requests without requiring prior privileges. Exploitation can lead to writing files on the underlying operating system and privilege escalation to root. Proof-of-concept exploit code is publicly available, increasing the risk of active exploitation. The attack targets systems with the WebDialer service enabled, which is disabled by default. No specific malware or additional IOCs are mentioned. **Recommended Response** Apply Cisco Unified CM updates to versions 14SU6 or 15SU5 immediately to patch the vulnerability. If patching is not feasible, disable the WebDialer service to block exploitation attempts. Monitor network traffic for unusual HTTP requests targeting Unified CM devices. No additional mitigations or detection signatures are provided in the sources.

Source articles (5)

  • PoC Exploit Released for Cisco Unified Communications Manager Security Vulnerability — Gbhackers · 2026-06-04
    A proof-of-concept (PoC) exploit has been released for a critical server-side request forgery (SSRF) vulnerability impacting Cisco Unified Communications Manager (Unified CM) and Unified CM Session Ma…
  • Cisco warns of critical Unified CM flaw with PoC exploit code — Bleepingcomputer · 2026-06-04
    Cisco has released security updates to patch a critical-severity Unified Communications Manager (Unified CM) flaw that allows attackers to gain root privileges. Cisco Unified CM (formerly known as Cis…
  • Cisco Unified CM SSRF Flaw CVE-2026-20230: Public Exploit Code Opens Path to Root — Techtimes · 2026-06-04
    Cisco disclosed a critical server-side request forgery vulnerability in its Unified Communications Manager platform on Wednesday, and by Thursday morning working proof-of-concept exploit code was alre…
  • SSRF, or server-side request forgery, attack — cwe.mitre.org · 2026-06-04
    This code intends to receive a URL from a user, access the URL, and return the results to the user. The given PHP code is vulnerable to Server-Side Request Forgery (SSRF) because it directly accepts a…
  • Cisco WebDialer Web Service to be enabled — developer.cisco.com · 2026-06-04
    The Cisco WebDialer Service is a part of the overall Unified Communications Manager (Unified CM) server installation. It allows users to make Click-to-Dial (C2D) calls on a corporate directory page or…

Timeline

  • 2024-01-26 — CVE-2024-20253 published: Cisco published a vulnerability allowing root access to Unified CM systems, adding to security concerns.
  • 2026-01-21 — CVE-2026-20045 published: Cisco disclosed another critical vulnerability in Unified CM that was actively exploited as a zero-day.
  • 2026-06-03 — CVE-2026-20230 published: Cisco disclosed a critical SSRF vulnerability in Unified CM that can lead to root access.
  • 2026-06-04 — Public PoC exploit released: A proof-of-concept exploit for CVE-2026-20230 has been made publicly available, increasing exploitation risk.

CVEs

  • CVE-2024-20253
  • CVE-2026-20045
  • CVE-2026-20230

Related entities

  • Zero-day Exploit (Attack Type)
  • Server-Side Request Forgery (Attack Type)
  • Cisco (Company)
  • Cwe-918 - Server-Side Request Forgery (ssrf) (Cwe)
  • T1068 - Exploitation for Privilege Escalation (Mitre Attack)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • Cisco Unified CM (Platform)
  • Cisco Unified Communications Manager (Platform)
  • Cisco WebDialer Web Service (Platform)
  • Linux (Platform)
  • Unified CM Session Management Edition (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed