Summary
CVE-2026-20230 is a server-side request forgery (SSRF) vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME). An unauthenticated, remote attacker can exploit this flaw by sending a crafted HTTP request to write files to the underlying operating system, with a direct path to escalating privileges to root. Despite a CVSS base score of 8.6 (High), Cisco has assigned a Security Impact Rating (SIR) of Critical due to the privilege escalation potential.
Technical details
- Root cause: Improper input validation of specific HTTP requests in the affected Cisco Unified CM components.
- Attack vector: Network-accessible; no authentication, no user interaction, and no local access are required. The attack is executable remotely by any unauthenticated actor who can reach the device over the network.
- Trigger condition: The WebDialer service must be enabled on the target instance. WebDialer is disabled by default; however, many enterprise deployments enable it for click-to-dial functionality.
- Impact: Successful exploitation allows an attacker to write arbitrary files to the underlying operating system. These written files can subsequently be leveraged to escalate privileges to root, making the real-world impact equivalent to full system compromise. Cisco explicitly elevated its internal severity rating to Critical on this basis.
- Scope: The CVSS vector (
S:C— Scope Changed) indicates the vulnerability’s impact extends beyond the vulnerable component itself, consistent with the OS-level file-write capability.
Affected software
- Cisco Unified Communications Manager (Unified CM)
- Cisco Unified Communications Manager Session Management Edition (Unified CM SME)
Refer to the Cisco Security Advisory (cisco-sa-cucm-ssrf-cXPnHcW) for the complete list of affected release trains and exact version numbers.
Severity
- CVSS v3.1 Base Score: 8.6 (High) — Cisco internal Security Impact Rating: Critical
- Vector string:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Mitigation and recommended actions
- Patch: Cisco has released software updates that address this vulnerability. Organizations running Cisco Unified CM or Unified CM SME should apply the fixed releases identified in the Cisco Security Advisory (cisco-sa-cucm-ssrf-cXPnHcW) immediately.
- No workarounds available: Cisco has confirmed there are no workarounds that fully address this vulnerability.
- Risk reduction: For deployments where WebDialer is not required, disabling the WebDialer service eliminates the exposed attack surface for this specific vulnerability until patching can be completed. Organizations that rely on WebDialer should prioritize patching as an urgent remediation.
- Network segmentation: Where immediate patching is not feasible, restrict inbound HTTP/HTTPS access to Cisco Unified CM management interfaces to trusted networks and administrative hosts only.
IONIX Status
The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.