Critical Cisco Unified CM and SME SSRF Flaw Allows Remote Root Compromise

Cisco has warned customers about a critical server-side request forgery (SSRF) flaw in Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (Unified CM SME) that allows remote, unauthenticated attackers to write files on the underlying OS and potentially gain root privileges.

Tracked as CVE-2026-20230 and rated Critical by Cisco despite a CVSS v3.1 base score of 8.6, the issue stems from improper input validation in the WebDialer component. The vulnerability exists because specific HTTP requests processed by Unified CM and Unified CM SME are not sufficiently validated when the Cisco WebDialer Web Service is enabled. An attacker can exploit this weakness by sending crafted HTTP requests to the WebDialer endpoint, abusing the application's trust in internal resources to trigger SSRF.

Once the SSRF condition is established, the attacker can force the system to create arbitrary files on the underlying operating system. These files can then be leveraged to escalate privileges to root, giving the adversary complete control over the Unified CM server, including configuration, call control, and underlying services. Although CVE-2026-20230 has a CVSS v3.1 base score of 8.6, Cisco has assigned the flaw a Security Impact Rating of Critical because realistic exploitation can lead to root-level compromise.

The network-based, unauthenticated, low-complexity nature of the attack significantly lowers the barrier to exploitation for remote attackers. A successful attack could enable adversaries to tamper with call routing, inject or modify configuration files, implant backdoors, and pivot deeper into voice and collaboration networks. In large Unified CM deployments, the compromise of a core call-control node can result in widespread service disruption and a strategic foothold for lateral movement.

The vulnerability affects Cisco Unified CM and Unified CM SME installations where the Cisco WebDialer Web Service is enabled in the CTI Services section. WebDialer is disabled by default, so only systems where administrators have intentionally enabled this feature are exposed to CVE-2026-20230. Cisco's advisory links the flaw to bug ID CSCws67331 and identifies fixed releases for major trains: Unified CM and Unified CM SME 14 are remediated in 14SU6, while 15-series customers must upgrade to 15SU5 (or deploy an available COP patch).

The Cisco PSIRT has confirmed the availability of proof-of-concept exploit code but, at the time of initial disclosure, had no evidence of active malicious exploitation in the wild. A typical exploitation chain begins when a remote attacker sends a specially crafted HTTP request to the WebDialer interface on an affected Unified CM or Unified CM SME instance. Due to improper input validation, the application processes attacker-controlled URLs, causing the server to issue internal HTTP requests that result in arbitrary file creation on the host system. With file-write capabilities in place, the attacker can plant malicious scripts or modify system and application configuration files to execute code with elevated privileges and eventually attain root access.

Cisco states that there are no true workarounds and that upgrading to a fixed software release is the only complete remediation for CVE-2026-20230. As a temporary mitigation, administrators can disable the Cisco WebDialer Web Service via the Cisco Unified Serviceability interface, provided it is not required for business operations. Organizations should prioritize upgrading to Unified CM 14SU6 or later, or to Unified CM SME 15SU5 (or the relevant COP1 patch), aligning their deployments with the guidance in Cisco's advisory and bug CSCws67331. Until patches are fully deployed, defenders should restrict management interfaces to trusted networks and monitor for unusual HTTP activity and unexpected file creation on Unified CM servers.