Cisco Unified CM SSRF Flaw (CVE-2026-20230): PoC Public, Full Patch Months Away

Cisco has released a patch for a server-side request forgery (SSRF) vulnerability in Unified Communications Manager (Unified CM) and its Session Management Edition that allows an unauthenticated attacker on the network to write arbitrary files to the underlying operating system, then escalate to full root. Tracked as CVE-2026-20230, the flaw stems from insufficient validation of HTTP requests, which a crafted request can exploit to push the server into writing files to disk. A working proof-of-concept exploit is now publicly available, and while Cisco's PSIRT says it has not observed in-the-wild abuse, public PoC code dramatically shortens the time before that changes. Security teams should run a port scanner against their UC infrastructure to confirm whether WebDialer is reachable from untrusted networks.

The vulnerability carries a CVSS base score of 8.6, but the score and Cisco's internal rating tell different stories. The base metric captures only the file-write primitive, an integrity-only impact with no direct confidentiality or availability loss, while the subsequent root escalation is not factored in. Cisco nonetheless rated the advisory Critical because the end state is full system compromise. The attack chain is conditional: the flaw is only exploitable when the WebDialer service is running, and WebDialer ships disabled by default. Administrators can verify exposure by navigating to Cisco Unified Serviceability, then Tools > Control Center - Feature Services, and checking the status of the Cisco WebDialer Web Service under CTI Services. A "Started" status means the deployment is in scope.

Patching is the only durable fix. For the 14 train, the fix ships in 14SU6. For the 15 train, the full Service Update (15SU5) is not scheduled until September 2026, leaving interim COP patches as the only option until then, or operators can simply disable WebDialer via Tools > Service Activation. The bug was reported by an independent researcher working through SSD Secure Disclosure. It continues a troubling pattern for Unified CM: last July, Cisco removed a hard-coded root SSH account left over from development (CVE-2025-20309, CVSS 10.0), and in January it patched an unauthenticated RCE chain across several voice products (CVE-2026-20045) that was already being exploited, prompting CISA to add it to the Known Exploited Vulnerabilities catalog. Given the public PoC and the multi-month gap before 15-train coverage is complete, defenders should also verify TLS configurations on any exposed UC endpoints using an SSL/TLS checker and validate that management interfaces are not exposed beyond the management VLAN. With a public exploit and a long tail of unpatched 15-train deployments, assume this file-write primitive gets weaponized before the September fix is broadly deployed.