Cisco warns of critical Unified CM flaw with PoC exploit code

Source: Bleeping Computer

Vulnerability Overview

Cisco has released security updates to patch a critical‑severity flaw in Unified Communications Manager (Unified CM) that allows attackers to gain root privileges. The vulnerability (tracked as CVE‑2026‑20230) can be exploited remotely without prior privileges via a low‑complexity server‑side request forgery (SSRF) attack.

Exploitation Details

“An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root,” – Cisco Security Advisory.

Cisco assigned the advisory a Security Impact Rating (SIR) of Critical because exploitation could result in privilege escalation to root.

Cisco’s Product Security Incident Response Team (PSIRT) is aware of publicly available proof‑of‑concept exploit code for CVE‑2026‑20230, but has not observed active exploitation.

Affected Systems and Detection

The vulnerability only impacts systems where the WebDialer service is enabled. WebDialer is disabled by default.

To check whether WebDialer is enabled:

1. Log in to Cisco Unified CM Administration.
2. Navigate to Cisco Unified Serviceability and click Go.
3. In the Tools > CTI Services menu, look under Control Center – Feature Services for the service status.

Mitigation and Patching

• Patch: Install Cisco Unified CM versions 14SU6 or 15SU5 (September 2026 or later) as soon as possible.
• Temporary mitigation: Disable the WebDialer service until the patch is applied.

Disabling WebDialer

1. Log in to the Cisco Unified CM Administration interface.
2. From the Navigation menu, choose Cisco Unified Serviceability and click Go.
3. From the Tools menu, select Service Activation.
4. In the CTI Services section, uncheck Cisco WebDialer Web Service and click Save.

Related Cisco Vulnerabilities

• CVE‑2026‑20045 – Another critical Unified CM vulnerability actively exploited as a zero‑day remote code execution attack. Read more
• CVE‑2024‑20253 – Flaw that enabled threat actors to gain root access. Read more
• Unified CM backdoor account – Removed by Cisco; allowed remote attackers root access on unpatched devices. Read more

Additional Context

Over the past five years, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has tagged 91 Cisco vulnerabilities as actively exploited in the wild, six of which have been used by ransomware operations. See CISA catalog