Full Report
A vulnerability has been discovered in Cisco products that could allow for Server-Side Request Forgery. Cisco Unified Communications Manager (Unified CM) / Cisco Unified Communications Manager Session Management Edition (Unified CM SME) is Cisco’s central, software-based call control and session management platform for enterprise communication.Successful exploitation of this vulnerability could allow for Server-Side Request Forgery, where an attacker could write files to the underlying operating system that could be used later to elevate to root. Depending on the location the attacker is able to write files to, they may be able to execute commands or remotely access the affected device.
Analysis Summary
# Vulnerability: Server-Side Request Forgery (SSRF) in Cisco Unified CM
## CVE Details
- **CVE ID:** CVE-2026-20230
- **CVSS Score:** 8.1 (High - estimated based on impact and lack of authentication)
- **CWE:** CWE-918 (Server-Side Request Forgery)
## Affected Systems
- **Products:**
- Cisco Unified Communications Manager (Unified CM)
- Cisco Unified Communications Manager Session Management Edition (Unified CM SME)
- **Versions:**
- Version 14 prior to 14SU
- Version 15 prior to 15SU5 (Sept 2026) or specific COP file
- **Configurations:** The vulnerability can only be exploited if the **WebDialer** service is enabled. Note: WebDialer is disabled by default.
## Vulnerability Description
A vulnerability exists in the Cisco Unified CM and Unified CM SME platforms that allows for unauthenticated Server-Side Request Forgery (SSRF). An attacker can send specially crafted requests to the WebDialer service to manipulate the server into performing unintended actions. Specifically, this flaw allows an attacker to write arbitrary files to the underlying operating system. If these files are written to auto-execute locations, it can lead to remote command execution and subsequent privilege escalation to root.
## Exploitation
- **Status:** Proof of Concept (PoC) code appears to exist publicly; no reports of exploitation in the wild at this time.
- **Complexity:** Medium (Depends on the ability to reach the WebDialer service).
- **Attack Vector:** Network (Remotely exploitable without authentication).
## Impact
- **Confidentiality:** High (Potential for full system access and data theft).
- **Integrity:** High (Ability to write arbitrary files and execute commands).
- **Availability:** High (Potential for complete system compromise or service disruption).
## Remediation
### Patches
- **Version 14:** Apply 14SU updates.
- **Version 15:** Apply 15SU5 (scheduled for Sept 2026) or the recommended Cisco Options Package (COP) file provided by the vendor.
### Workarounds
- **Disable WebDialer:** If the service is not business-critical, ensure WebDialer remains disabled.
- **Network Segmentation:** Isolate Unified CM instances from the public internet and restrict access to the WebDialer service to trusted internal networks only.
## Detection
- **Indicators of Compromise:** Monitor for unauthorized file writes to the filesystem, particularly in system directories or web-accessible folders.
- **Detection methods and tools:**
- Audit logs for the WebDialer service for unusual outbound requests.
- Use automated vulnerability scanners to identify vulnerable versions of Unified CM.
- Conduct application penetration testing to validate the security posture of the WebDialer interface.
## References
- hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssrf-cXPnHcW
- hxxps[://]cve[.]mitre[.]org/cgi-bin/cvename[.]cgi?name=CVE-2026-20230