Back

Critical SSRF Vulnerability in Cisco Unified CM Exposes Enterprises to Root Access

Severity: High (Score: 72.0)

Sources: Bleepingcomputer, developer.cisco.com, Gbhackers, cwe.mitre.org, Csa.Sg

Published: 2026-06-04 · Updated: 2026-06-05

Keywords: unified, cisco, exploit, released, communications, manager, critical

Severity indicators: exploit released, exploit code, critical, flaw

Summary

Cisco disclosed a critical server-side request forgery (SSRF) vulnerability in its Unified Communications Manager (CVE-2026-20230) on June 3, 2026. This flaw allows attackers with network access to write arbitrary files to the operating system, potentially escalating privileges to root. A proof-of-concept exploit code was released shortly after the disclosure, increasing the urgency for affected organizations. The vulnerability impacts systems where the WebDialer service is enabled, which is often the case in enterprise environments. Cisco has assigned a Critical Security Impact Rating to this vulnerability, despite a CVSS score of 8.6. Administrators are advised to check the status of the WebDialer service and apply security updates promptly. Currently, there is no evidence of active exploitation, but the availability of PoC code raises concerns about potential attacks. Organizations are encouraged to disable the WebDialer service until patches are applied. Key Points: • CVE-2026-20230 allows root access via SSRF in Cisco Unified CM if WebDialer is enabled. • Public exploit code for this vulnerability was released shortly after Cisco's disclosure. • Cisco recommends immediate updates and disabling the WebDialer service as a precaution.

Detailed Analysis

**Impact** Enterprises using Cisco Unified Communications Manager (Unified CM) with the WebDialer service enabled are affected. The vulnerability allows attackers to gain root privileges, risking full control over telephony infrastructure, including device registrations, call routing, and user credentials. The flaw impacts Cisco Unified CM Release 14 versions prior to 14SU6 and Release 15 versions prior to 15SU5 globally, with no specific sector or geographic limitations reported. The exposure could disrupt critical communication services and compromise sensitive voice data. **Technical Details** The attack exploits a server-side request forgery (SSRF) vulnerability (CVE-2026-20230) in the Cisco WebDialer Web Service, which runs on Cisco Tomcat and listens on port 8443/HTTPS. Attackers send crafted HTTP requests to write arbitrary files to the Linux-based OS, then escalate privileges to root via standard techniques such as modifying cron jobs or SSH authorized keys. Proof-of-concept exploit code is publicly available, increasing the risk of active exploitation. No specific malware or IOCs are detailed in the sources. **Recommended Response** Apply Cisco Unified CM updates to versions 14SU6 or 15SU5 immediately. If patching is not possible, disable the WebDialer service to block exploitation attempts. Monitor network traffic for unusual HTTP requests to port 8443 and audit system files for unauthorized changes. No other mitigations or detection signatures are currently specified.

Source articles (6)

  • PoC Exploit Released for Cisco Unified Communications Manager Security Vulnerability — Gbhackers · 2026-06-04
    A proof-of-concept (PoC) exploit has been released for a critical server-side request forgery (SSRF) vulnerability impacting Cisco Unified Communications Manager (Unified CM) and Unified CM Session Ma…
  • Cisco warns of critical Unified CM flaw with PoC exploit code — Bleepingcomputer · 2026-06-04
    Cisco has released security updates to patch a critical-severity Unified Communications Manager (Unified CM) flaw that allows attackers to gain root privileges. Cisco Unified CM (formerly known as Cis…
  • Cisco Unified CM SSRF Flaw CVE-2026-20230: Public Exploit Code Opens Path to Root — Techtimes · 2026-06-04
    Cisco disclosed a critical server-side request forgery vulnerability in its Unified Communications Manager platform on Wednesday, and by Thursday morning working proof-of-concept exploit code was alre…
  • SSRF, or server-side request forgery, attack — cwe.mitre.org · 2026-06-04
    This code intends to receive a URL from a user, access the URL, and return the results to the user. The given PHP code is vulnerable to Server-Side Request Forgery (SSRF) because it directly accepts a…
  • Cisco WebDialer Web Service to be enabled — developer.cisco.com · 2026-06-04
    The Cisco WebDialer Service is a part of the overall Unified Communications Manager (Unified CM) server installation. It allows users to make Click-to-Dial (C2D) calls on a corporate directory page or…
  • Critical Vulnerability in Cisco Unified Communications Manager — Csa.Sg · 2026-06-05
    Cisco released security updates to fix a critical vulnerability in Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition. Attackers can gain root pri…

Timeline

  • 2024-01-26 — CVE-2024-20253 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-01-21 — CVE-2026-20045 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-03 — CVE-2026-20230 published: Cisco disclosed a critical SSRF vulnerability in Unified Communications Manager, allowing root access.
  • 2026-06-04 — Public PoC exploit code released: Proof-of-concept exploit code for CVE-2026-20230 became publicly available, raising risks for enterprises.
  • 2026-06-04 — Cisco issues security updates: Cisco released updates to patch the critical vulnerability and recommended immediate action for affected users.
  • 2026-06-05 — Security advisory issued: Cisco's advisory emphasized the critical nature of the vulnerability and the need for immediate updates.

CVEs

  • CVE-2024-20253
  • CVE-2026-20045
  • CVE-2026-20230

Related entities

  • Server-Side Request Forgery (ssrf) (Attack Type)
  • Zero-day Exploit (Attack Type)
  • Server-Side Request Forgery (Attack Type)
  • Cisco (Company)
  • CWE-20 - Improper Input Validation (Cwe)
  • Cwe-918 - Server-Side Request Forgery (ssrf) (Cwe)
  • T1068 - Exploitation for Privilege Escalation (Mitre Attack)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • Cisco Unified CM (Platform)
  • Cisco Unified Communications Manager (Platform)
  • Cisco WebDialer Web Service (Platform)
  • Linux (Platform)
  • Unified CM Session Management Edition (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed