CVE-2026-20230: Cisco Unified CM WebDialer SSRF to Root, CVSS 8.6

This week in our InSEKurity of the Week series: a critical-rated, unauthenticated server-side request forgery (SSRF) flaw in the WebDialer component of Cisco Unified Communications Manager (Unified CM) — the platform that runs enterprise telephony for a huge share of the world’s large organizations. Cisco scored it CVSS 8.6 but assigned a Security Impact Rating of Critical, because the SSRF is not the endgame: it gives an unauthenticated remote attacker the ability to write arbitrary files to the underlying operating system and from there escalate to root. Cisco published the advisory in early June 2026, and proof-of-concept exploit code is already publicly available. If you run Unified CM with WebDialer enabled — a very common enterprise configuration — this one belongs at the top of your patch queue.

🚨 Summary

CVE ID: CVE-2026-20230
CVSS 3.1 Score: 8.6 (High) — Cisco Security Impact Rating: Critical
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
CWE: CWE-918 (Server-Side Request Forgery)
Affected Software: Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (SME) — only when the WebDialer service is enabled
Attack Vector: Network (remote, unauthenticated) — crafted HTTP request to the WebDialer service
Authentication Required: None
User Interaction: None
Impact: Arbitrary file write to the underlying OS, leveraged to escalate privileges to root — full appliance compromise
Patch Status: ✅ Available (Unified CM 14SU6; 15SU5 due September 2026 with interim COP patch)
Published: June 3, 2026 (Cisco advisory cisco-sa-cucm-ssrf-cXPnHcW)
Exploitation Status: Public PoC exploit code available; no confirmed in-the-wild exploitation at time of writing
CISA KEV: Not listed at time of writing (2026-06-09)

☎️ What is Cisco Unified Communications Manager?

Cisco Unified Communications Manager (Unified CM, formerly CallManager) is the call-processing core of Cisco’s enterprise collaboration stack. It is the IP-PBX that registers IP phones and softphones, routes voice and video calls, enforces dial plans, and ties together voicemail, presence, conferencing, and contact-center services. In large enterprises, government agencies, hospitals, and call centers, Unified CM is the system that quite literally makes the phones work — which is exactly why it is deployed at enormous scale and why an outage or compromise has outsized operational impact.

Unified CM ships as a hardened Linux-based appliance (Cisco Voice Operating System) and exposes a number of web-facing administrative and user services over HTTPS. One of those is WebDialer, a click-to-call service that lets users place calls straight from a directory page, a CRM, or a custom desktop/web application. WebDialer is disabled by default, but it is a popular convenience feature and is commonly turned on in production deployments — which is the precondition for this vulnerability.

Typical Use Cases

Enterprise telephony: registration and call routing for tens of thousands of IP phones across campuses and sites.
Click-to-call integrations: WebDialer drives “dial from the browser” buttons in directories, CRMs, and help-desk tooling.
Unified collaboration: integration with voicemail (Unity), presence/IM (Jabber/Webex), and conferencing.
Contact centers: Unified CM underpins Cisco UCCX/UCCE agent telephony.
Session management: Unified CM SME aggregates and routes between multiple call-control clusters and SIP trunks.

Because Unified CM is a tier-0 service for an organization’s communications — and because WebDialer is exposed over the same HTTPS interface admins and users reach every day — an unauthenticated bug in it is a serious problem.

🔍 Technical Analysis

Vulnerability Description

CVE-2026-20230 is a server-side request forgery (CWE-918) in the WebDialer service of Unified CM and Unified CM SME. According to Cisco, the flaw is due to improper input validation for specific HTTP requests. An unauthenticated, remote attacker can exploit it by sending a crafted HTTP request to an affected device. A successful exploit lets the attacker coerce the server into issuing attacker-influenced requests and, critically, write files to the underlying operating system — files that can subsequently be used to elevate privileges to root.

The decisive detail is that this is not a “blind SSRF that only reaches internal metadata” issue. The advisory is explicit that the primitive results in an arbitrary file write on the appliance OS. On a Linux-based system, a write primitive aimed at the right location (a service script, a scheduled task, a configuration file consumed by a root process) is a direct stepping stone from “unauthenticated HTTP request” to “code execution as root.” That is why Cisco rated the Security Impact Critical even though the raw CVSS base score is 8.6.

Root Cause Analysis

Improper input validation in WebDialer’s HTTP handling (CWE-918): a request field that influences where or how the server makes an onward request is not properly validated, allowing the attacker to steer server-side requests.
SSRF escalated to a file-write primitive: the coerced request does not merely read internal resources — it results in attacker-controlled content being written to the underlying OS filesystem.
Pre-authentication reachability: the vulnerable WebDialer code path is reachable without any credentials, so there is no authentication barrier in front of the bug.
Privileged service context: the file write lands on the OS in a way that can be leveraged to execute code as root, turning a web-service bug into full appliance compromise.
Feature commonly enabled: WebDialer is off by default but widely enabled for click-to-call, so the real-world exposed surface is large.
Network-reachable HTTPS service: WebDialer is served over the same web interface (typically TCP/8443) that the platform exposes for user and admin functions.

Attack Vector

A simplified exploitation flow looks like this. The HTTP request below is illustrative only — it shows where the vulnerable WebDialer service lives and the shape of the attack, not a working exploit:

# Step 1: Identify Unified CM hosts and confirm the WebDialer service is
# reachable. Unified CM exposes its web services over HTTPS on TCP/8443.
nmap -p 8443,443,80 --open -oG cucm-candidates.gnmap 10.0.0.0/24

# Probe for the WebDialer service endpoint. A live WebDialer responds on
# its servlet path; a 200/302/401 here means the feature is enabled.
curl -sk -o /dev/null -w "%{http_code}\n" \
    "https://10.0.0.20:8443/webdialer/Webdialer"

# Step 2: Send the crafted, UNAUTHENTICATED request to the WebDialer
# service. ILLUSTRATIVE ONLY -- this does NOT trigger CVE-2026-20230.
# The real flaw is improper validation of a request field that lets the
# server be coerced into an SSRF that writes a file to the OS.
curl -sk "https://10.0.0.20:8443/webdialer/Webdialer" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    --data-urlencode "cmd=doFinishCall" \
    --data-urlencode "destination=internal-resource-or-write-target"

# Step 3: The SSRF primitive is used to write a file to a location the
# appliance OS processes with root privileges (e.g. a script or task that
# runs as root). On the next execution, the attacker's payload runs as root.

# Step 4: Catch the resulting root shell / C2 beacon staged by the payload.
nc -nvlp 4444

The snippet above is illustrative only — it reaches the WebDialer service but does not implement CVE-2026-20230. The actual exploit abuses improper input validation in a specific WebDialer request to drive an SSRF that writes a file to the underlying OS; that file is then leveraged to gain root.

A simplified view of the attack chain:

Attacker                                       Victim (Cisco Unified CM appliance)
   |                                                        |
   |  crafted HTTP request to WebDialer (TCP/8443)          |
   |------------------------------------------------------->|  no auth required
   |                                                        |
   |  improper input validation -> SSRF primitive           |
   |------------------------------------------------------->|  server is coerced
   |                                                        |  into an onward request
   |                                                        |
   |  SSRF -> arbitrary file write to OS filesystem          |
   |------------------------------------------------------->|  attacker content
   |                                                        |  written to a root-
   |                                                        |  consumed location
   |                                                        |
   |<-- root shell / C2 beacon ----------------------------<|  payload executes
   |                                                        |  as root -> full
   v                                                        v  appliance compromise

Exploitation in the Wild

2026-06-03 — Cisco publishes advisory cisco-sa-cucm-ssrf-cXPnHcW and states it is aware of publicly available proof-of-concept exploit code, while reporting no evidence of malicious use at that time.
2026-06-04 onward — Security press (BleepingComputer, The Hacker News, SecurityAffairs) and vulnerability vendors (Qualys, Tenable) flag the flaw as a priority, emphasizing that public PoC code sharply lowers the barrier to exploitation.
2026-06-09 — At the time of writing, there is no confirmed in-the-wild exploitation, and the CVE is not yet in the CISA KEV catalog — but with PoC code circulating against a high-value target, defenders should treat weaponization as imminent.

Post-Exploitation Impact

Root on the Unified CM appliance: complete control of the call-processing core — the attacker owns the platform that runs the organization’s telephony.
Call interception and fraud: with root, an attacker can manipulate dial plans, reroute or record calls, and enable toll fraud against SIP trunks.
Credential and secret theft: Unified CM stores configuration, certificates, and integration credentials (LDAP/AD bind accounts, trunk secrets) that become reachable from root.
Pivot into the core network: a compromised UC appliance is a quiet, trusted foothold deep inside the enterprise from which to move laterally.
Persistence and tampering: root allows installation of backdoors, disabling of logging, and survival across reboots and minor upgrades.
Service disruption: an attacker (or a clumsy exploit attempt) can degrade or take down telephony for the entire organization — a major operational and safety concern for hospitals, call centers, and emergency lines.

⚠️ Impact Assessment

Immediate Impact

Unauthenticated, network-reachable, root outcome: no credentials and no user interaction — only network access to the WebDialer service.
High-value target: Unified CM is core enterprise infrastructure deployed at massive scale across enterprises, healthcare, and government.
Public PoC available: the exploitation barrier is already low; commodity scanning and weaponization typically follow quickly.
Common configuration: WebDialer is off by default but widely enabled for click-to-call, so many production clusters are exposed.
Patching requires planning: UC platforms are change-controlled and high-availability, so emergency patching/mitigation needs coordination — start now.

Affected Versions

Platform	Vulnerable	Fixed In
Unified CM / SME 15	15SU5 and earlier (WebDialer enabled)	15SU5 (September 2026) or interim COP patch
Unified CM / SME 14	14SU6 and earlier (WebDialer enabled)	14SU6 (available now)
Unified CM / SME 12.5 and earlier	Affected (WebDialer enabled)	Migrate to a fixed release

The vulnerability only affects Unified CM and Unified CM SME when the WebDialer service is enabled. Cisco’s advisory cisco-sa-cucm-ssrf-cXPnHcW is the authoritative source for exact fixed builds and COP-patch availability per release — always cross-reference it before deploying.

Affected Environments

Any enterprise running Unified CM with WebDialer enabled: the click-to-call feature is the trigger condition.
Large-scale telephony estates: multi-site campuses, contact centers, and SME-aggregated clusters with broad internal reachability.
Healthcare and critical services: where telephony availability is a safety issue and compromise carries severe consequences.
Internet-exposed UC portals (rare but real): any WebDialer interface reachable from untrusted networks is at immediate, severe risk.
Managed/hosted UC providers: shared platforms amplify blast radius across multiple customer tenants.

Attacker Profiles

Initial-access brokers: a reliable unauthenticated root on a widely deployed Cisco appliance is high-value access to resell.
Ransomware operators: a trusted internal foothold with root accelerates lateral movement toward domain and data.
Telecom-fraud actors: control of call routing and SIP trunks enables direct financial gain via toll fraud.
APT groups: a quiet, privileged listening post inside enterprise voice infrastructure is ideal for espionage.
Opportunistic scanners: with public PoC code, internet- and internal-facing WebDialer endpoints will be swept en masse.

🛡️ Mitigation Strategies

Immediate Actions (Priority 1) ⚡

Apply the fixed release / COP patch to every affected Unified CM and SME cluster. Upgrade Release 14 to 14SU6 now; for Release 15, apply the interim COP patch until 15SU5 ships (September 2026):

# On the Unified CM CLI (admin account), confirm the running version
# before and after patching. Compare against the fixed build in the
# Cisco advisory cisco-sa-cucm-ssrf-cXPnHcW.
show version active

# Stage and install the COP / upgrade file from your SFTP repository
# (perform on the publisher first, then subscribers, in a maintenance
# window that preserves call processing).
utils system upgrade initiate

If you cannot patch immediately, disable WebDialer as a workaround. The vulnerability only applies when WebDialer is enabled, so turning it off removes the attack surface:

# Cisco Unified Serviceability:
#   Tools > Control Center - Feature Services
#   -> CTI Services -> "Cisco WebDialer Web Service" -> Stop / Deactivate
#
# Confirm WebDialer is not in use by any click-to-call integration
# before disabling it in production.

Verify whether WebDialer is currently enabled so you know your exposure:

# Externally, probe the WebDialer servlet path. A non-error response
# indicates the service is reachable and likely enabled.
curl -sk -o /dev/null -w "WebDialer HTTP status: %{http_code}\n" \
    "https://<cucm-host>:8443/webdialer/Webdialer"

Restrict access to the Unified CM web interfaces to trusted admin/management networks while you patch:

# On an upstream firewall, limit inbound TCP/8443 (and 443/80) to the
# Unified CM cluster to known-good management/user subnets only.
# No Unified CM administrative or WebDialer interface should be
# reachable from the internet.
# Example (iptables-style intent):
#   allow  src 10.0.0.0/8   dst <cucm> tcp/8443
#   deny   src any          dst <cucm> tcp/8443
nmap -Pn -p 8443,443,80 <cucm-public-ip>   # MUST return filtered/closed

Patch the publisher and all subscribers, then validate call processing and WebDialer (if re-enabled) before closing the change.

Detection Measures 🔍

No Cisco-published IoCs exist at the time of writing. Hunt for the symptoms: anomalous unauthenticated requests to the WebDialer servlet, unexpected files appearing on the appliance, and signs of root-level activity.

# Review web/access logs (where exported to your SIEM) for unauthenticated
# POSTs to the WebDialer servlet from unexpected source IPs, especially
# requests with unusual parameters or high volume.
grep -i "/webdialer/" cucm-access.log \
    | grep -iE "POST|doFinishCall|doMakeCall" \
    | awk '{print $1, $4, $6, $7}'

# Alert on requests to WebDialer from any source outside your sanctioned
# click-to-call integration hosts and management subnets.

SIEM / monitoring detection ideas:

# Build detections around:
#   - Unauthenticated HTTP(S) requests to /webdialer/ from non-allowlisted
#     source IPs.
#   - Spikes or anomalies in WebDialer request volume.
#   - New/modified files in OS locations on the appliance (where platform
#     auditing or syslog is available) outside of vendor upgrade windows.
#   - Unexpected outbound connections originating FROM the Unified CM host
#     (a beacon from a compromised appliance).

Network-side hunting:

Alert on inbound TCP/8443 to Unified CM from hosts that are not legitimate users, click-to-call integrations, or management stations.
Watch for unexpected outbound connections initiated by the Unified CM appliance — a strong post-exploitation signal.
Deploy vendor IDS/IPS signatures for CVE-2026-20230 as they become available (Snort/Suricata and firewall-vendor coverage).

Long-term Security Improvements

Treat UC platforms as tier-0: Unified CM warrants the same change-controlled-but-fast critical-patch SLA as identity and directory infrastructure.
Disable features you do not use: WebDialer (and other optional services) should be off unless there is a documented business need.
Segment voice infrastructure: place UC servers in a tightly controlled zone with strict inbound and outbound filtering; UC appliances should rarely initiate arbitrary outbound traffic.
Never expose UC admin/user portals to the internet: front them with VPN or zero-trust access only.
Baseline and monitor UC web services: build detection content for the WebDialer, CCMAdmin, and user portals as crown-jewel endpoints.
Maintain an upgrade runway: keep clusters on releases that still receive security fixes (Release 12.5 and earlier should be migrated).

🎯 Why is this Critical?

Unauthenticated SSRF that reaches root: a file-write primitive on the appliance OS turns a web-service bug into full root compromise — hence Cisco’s Critical Security Impact Rating despite the 8.6 base score.
No prerequisites beyond reachability: no credentials, no user interaction, low attack complexity.
Public PoC already available: the exploitation barrier is low and weaponization typically follows fast.
High-value, widely deployed target: Unified CM is core enterprise telephony across enterprises, healthcare, government, and contact centers.
Common enabling configuration: WebDialer is off by default but frequently enabled for click-to-call, so many clusters are exposed.
Severe downstream impact: call interception, toll fraud, credential theft, lateral movement, and telephony outages — including for safety-critical services.
A clean patch and a clean workaround exist: 14SU6 / COP patch fix it, and disabling WebDialer removes the surface entirely — there is no excuse to leave it exposed.

🚀 Timeline and Disclosure

2026-06-03 — Cisco publishes security advisory cisco-sa-cucm-ssrf-cXPnHcW for CVE-2026-20230, rating it CVSS 8.6 with a Critical Security Impact Rating, and notes that public PoC exploit code exists while reporting no evidence of in-the-wild abuse.
2026-06-04 onward — Vulnerability vendors and security press widely cover the flaw, publish detection guidance (e.g., Qualys QID 317856), and stress the urgency created by the public PoC.
2026-06-09 — At the time of writing, exploitation in the wild is not yet confirmed and the CVE is not listed in the CISA KEV catalog — but defenders should patch or disable WebDialer immediately given the circulating PoC.

🔗 Resources and References

CVE: CVE-2026-20230
NVD: NVD — CVE-2026-20230
Cisco Advisory: Cisco Unified Communications Manager Server-Side Request Forgery Vulnerability (cisco-sa-cucm-ssrf-cXPnHcW)
CWE: CWE-918: Server-Side Request Forgery (SSRF)
CISA KEV Catalog: Known Exploited Vulnerabilities

💼 SEKurity Supports You

Vulnerabilities like CVE-2026-20230 are a reminder that the boring-but-critical infrastructure — the systems that “just run the phones” — is exactly where attackers love to land, because it is privileged, trusted, and rarely monitored as closely as the domain. An unauthenticated SSRF that turns into root on a Unified CM appliance gives an attacker a quiet, deep foothold inside the enterprise. We help organizations find the exposed, optional services they forgot were enabled, validate that critical appliances are genuinely patched, and stress-test whether a compromise of voice or perimeter infrastructure would be detected before it became a network-wide incident. Our perimeter and IT-infrastructure testing maps exactly these forgotten doors — before someone with a public PoC finds them first.

Our Services

Penetration Testing: Web applications, mobile apps (Android & iOS), SAP systems, Active Directory
Large-Scale Attacks: Perimeter testing, IT infrastructure testing, Red Team engagements
Security Awareness: Phishing campaigns, hacking demonstrations

Act now — before attackers do.

Contact:

🌐 Website: www.sekurity.de

📧 Inquiries: www.sekurity.de/kontakt

📱 LinkedIn: SEKurity GmbH

Your SEKurity Team — Your Trusted Adversaries

The security of your communications infrastructure is our drive.

InSEKurity of the Week (CW23/2026): Cisco Unified CM WebDialer Unauthenticated SSRF-to-Root (CVE-2026-20230)