Cisco Unified CM CVE-2026-20230 file-write exploitation
Summary
CVE-2026-20230 is a Cisco Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME) server-side request forgery vulnerability. Cisco says unauthenticated remote requests can abuse the flaw to write files to the underlying operating system that can later be used to elevate to root.
Cisco published the advisory on June 3, 2026 and noted that proof-of-concept exploit code was public, while Cisco PSIRT was not aware of malicious use at advisory publication. On June 24, 2026, The Hacker News reported that Defused Cyber had observed active exploitation against decoys using PoC-derived file-write payloads. Treat the active-exploitation claim as secondary/telemetry reporting until Cisco or CISA publishes a follow-up, but do not wait to reduce exposure on internet-reachable or partner-reachable call-control systems.
Tags
- ops
- operations
- Cisco
- Cisco Unified Communications Manager
- Cisco Unified CM
- Unified CM SME
- CVE-2026-20230
- SSRF
- arbitrary file write
- root escalation
- active exploitation
- edge appliance
- communications infrastructure
- incident response
Why this matters
- Unified CM is a high-trust communications control plane; compromise can affect telephony, authentication-adjacent integrations, call routing, and internal visibility.
- The vulnerable primitive is unauthenticated when the exposed service path is reachable, but Cisco says exploitation requires the Cisco WebDialer Web Service to be enabled. WebDialer is disabled by default.
- The post-SSRF impact is not just data access: Cisco explicitly warns that written files can be used later for
rootescalation. - Public exploit detail exists, and third-party decoy telemetry suggests real probing/exploitation started after disclosure.
Operational characteristics
- Affected products: Cisco Unified CM and Unified CM SME with WebDialer enabled.
- Vulnerability class: improper input validation enabling SSRF through crafted HTTP requests.
- Privilege requirement: Cisco describes exploitation as unauthenticated and remote.
- Impact: file write to the underlying operating system, with later root escalation possible.
- Exploit availability: Cisco says proof-of-concept exploit code is public; SSD Secure Disclosure published technical root-cause detail on June 23, 2026.
- Observed activity: The Hacker News cites Defused Cyber telemetry of active exploitation from a single source using an unvetted PoC and
file://file-write payloads against decoys. - Attribution: none publicly established. Do not infer a named actor from the current public reporting.
Exposure and patch status
Cisco's June 3 advisory lists no workaround that fully addresses the vulnerability, but gives WebDialer disablement as a mitigation until fixed software can be applied.
Cisco fixed-release guidance at advisory version 1.0:
| Unified CM / Unified CM SME release | First fixed release |
|---|---|
| 14 | 14SU6 |
| 15 | 15SU5 planned for September 2026, or a version-specific COP patch |
Cisco says customers should consult the patch README because COP patches are version-specific.
Defender heuristics
- Inventory Unified CM / Unified CM SME systems, especially management and application interfaces reachable from the internet, partner networks, VPN pools, or broad internal segments.
- In Cisco Unified CM Administration, check whether WebDialer is enabled: Cisco Unified Serviceability → Tools → Control Center - Feature Services → CTI Services → Cisco WebDialer Web Service. If the status is
Started, WebDialer is enabled. - If WebDialer is not required, disable the Cisco WebDialer Web Service through Cisco Unified Serviceability → Tools → Service Activation while preparing fixed-version rollout.
- Upgrade release 14 deployments to
14SU6and apply the appropriate release-15 COP patch or15SU5when available, following Cisco's patch README and change-control guidance. - Review HTTP access logs and reverse-proxy / WAF telemetry for unexpected WebDialer and CM platform requests, malformed host or URL parameters, encoded traversal-like strings,
file://indicators, and unusual unauthenticated request bursts. - Treat successful-looking file-write probes as possible host compromise: preserve logs and filesystem artifacts before rebuild or upgrade, scope for unexpected service files, web artifacts, scheduled jobs, modified Tomcat/application files, and new privileged access.
- Because exploit attempts may write files for delayed root escalation, do not close the incident with patching alone if exploit traffic is present; validate host integrity and consider vendor-assisted recovery.
Related pages
- Cisco Catalyst SD-WAN Manager CVE-2026-20245 / CVE-2026-20262 exploitation
- Splunk Enterprise CVE-2026-20253 pre-auth file write / RCE
- Ivanti Sentry CVE-2026-10520 exploitation
Sources
- Cisco advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssrf-cXPnHcW
- SSD Secure Disclosure: https://ssd-disclosure.com/cisco-unified-communications-manager-arbitrary-file-write-to-rce/
- The Hacker News: https://thehackernews.com/2026/06/cisco-unified-cm-flaw-exploited-after.html