Security researchers have identified active exploitation of a critical vulnerability in Cisco’s Unified Communications Manager (Unified CM) and its Session Management Edition (Unified CM SME). This flaw, tracked as CVE-2026-20230 with a CVSS score of 8.6, was recently disclosed, highlighting risks associated with improper input validation in specific HTTP requests.
The vulnerability allows unauthenticated remote attackers to execute server-side request forgery (SSRF) attacks. According to Cisco’s advisory, attackers can take advantage of this flaw by sending specially crafted HTTP requests to affected systems. A successful attack enables file writing to the operating system, potentially escalating privileges to root access.
Exploitation Details and Observations
Defused Cyber, in a recent post on X, reported ongoing exploitation attempts. These attacks are currently originating from a single source, employing an unaudited proof-of-concept (PoC). This PoC uses correctly formatted file:// file-write payloads, which have been observed on their decoy systems.
For an attack to be successful, the WebDialer service must be activated. By default, this service is not enabled. Users can verify its status by accessing the Cisco Unified CM Administration interface and navigating to the Cisco Unified Serviceability section. If the WebDialer Web Service status is marked as ‘Started’, it indicates the service is active.
Mitigation and Patch Information
Cisco has addressed the vulnerability in its latest updates for Unified CM and Unified CM SME versions 14SU6 and 15SU5. In scenarios where immediate patching is not feasible, disabling the WebDialer service is recommended as a temporary security measure.
SSD Secure Disclosure has provided further technical insights into CVE-2026-20230, explaining its potential to allow attackers to write arbitrary files on the server. By leveraging the WebDialer component, attackers can obtain the target’s hostname, leading to potential code execution.
Response and Future Implications
While Cisco has not yet updated its advisory to confirm the active exploitation of CVE-2026-20230, the company recently released fixes for another medium-severity flaw in Catalyst SD-WAN Manager, identified as CVE-2026-20262. This vulnerability, with a CVSS score of 6.5, is also being actively exploited.
As the cybersecurity landscape evolves, organizations using Cisco products should remain vigilant, ensuring timely updates and following recommended security practices to mitigate potential threats.
