Full Report
Cisco has patched a bug in Unified Communications Manager that lets an unauthenticated attacker on the network write files to the box and, from there, climb to root. It is tracked as CVE-2026-20230, and proof-of-concept exploit code is already public. Cisco's PSIRT says it has not seen the flaw used in attacks yet. The PoC shortens that runway. The flaw is a server-side request forgery.
Analysis Summary
# Vulnerability: Arbitrary File Write and Privilege Escalation in Cisco Unified CM
## CVE Details
- **CVE ID:** CVE-2026-20230
- **CVSS Score:** 8.6 (Critical per Cisco Rating)
- **CWE:** CWE-918 (Server-Side Request Forgery)
## Affected Systems
- **Products:**
- Cisco Unified Communications Manager (Unified CM)
- Cisco Unified Communications Manager Session Management Edition (SME)
- **Versions:**
- 14.x
- 15.x
- **Configurations:** Systems where the **WebDialer** service is enabled (this service is disabled by default).
## Vulnerability Description
The vulnerability stems from improper validation of HTTP requests within the Cisco WebDialer service. An unauthenticated, remote attacker can send a crafted request to the affected server, which leads to a Server-Side Request Forgery (SSRF). This flaw allows the attacker to write arbitrary files to the underlying operating system. While the initial vulnerability (file write) only impacts integrity, it serves as a foothold for a secondary step involving local privilege escalation to gain root access.
## Exploitation
- **Status:** PoC available (Public); Not yet observed in the wild.
- **Complexity:** Low (Unauthenticated)
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Resulting from root escalation)
- **Integrity:** High (Arbitrary file write and root access)
- **Availability:** High (Full system control)
## Remediation
### Patches
- **Version 14.x:** Update to **14SU6** or later.
- **Version 15.x:** Apply the interim **COP patch**. The full Service Update (15SU5) is expected in September 2026.
### Workarounds
- **Disable WebDialer Service:**
1. Navigate to **Cisco Unified Serviceability**.
2. Go to **Tools > Service Activation**.
3. Uncheck **Cisco WebDialer Web Service** and save.
## Detection
- **Service Audit:** In **Cisco Unified CM Administration**, switch to **Cisco Unified Serviceability**. Under **Tools > Control Center - Feature Services**, check the status of **Cisco WebDialer Web Service**. If the status is "Started," the system is vulnerable.
- **Indicators of Compromise:** Monitor for unauthorized or unexpected file creations on the operating system, particularly those originating from web service processes.
## References
- **Cisco Security Advisory:** hxxps://sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssrf-cXPnHcW
- **News Report:** hxxps://thehackernews[.]com/2026/06/cisco-patches-cve-2026-20230-in-unified[.]html