Critical SSRF Vulnerability (CVE‑2026‑20230) in Cisco Unified Communications Manager Enables Unauthenticated Remote File Write
What It Is — Cisco Unified CM and Unified CM SME contain an input‑validation flaw that permits unauthenticated attackers to craft HTTP requests that trigger server‑side request forgery (SSRF). Successful exploitation can write arbitrary files to the underlying operating system, a stepping‑stone to root‑level compromise.
Exploitability — Public proof‑of‑concept code is available. Cisco rates the issue Critical (CVSS ≈ 9.8). Exploitation is possible only when the optional WebDialer service is enabled (disabled by default). No confirmed wild‑use, but the PoC dramatically lowers the attack barrier.
Affected Products — Cisco Unified Communications Manager (UCM) 14.x, 15.x and Unified CM SME 14.x, 15.x. The flaw is triggered via the WebDialer web service.
TPRM Impact — Enterprises that outsource telephony, contact‑center, or unified‑communications functions to Cisco inherit a remote‑code‑execution risk that can:
- compromise internal network segments,
- expose call‑recording and credential data,
- disrupt business‑critical voice services, and
- provide a foothold for lateral movement into downstream SaaS applications.
Recommended Actions —
- Apply Cisco’s fixed releases (UCM 14 14SU6, 15 15SU5 or later).
- Immediately disable the WebDialer service via Unified Serviceability → Service Activation → CTI Services.
- Conduct an inventory of all UCM/SME instances and verify the service state.
- Enable logging and monitor outbound HTTP traffic for anomalous SSRF patterns.
- Update incident‑response playbooks to include privilege‑escalation scenarios stemming from file‑write exploits.
Source: Security Affairs