Cisco warns of critical Unified CM flaw with exploit code
▼ Summary
– Cisco released critical security updates for a Unified Communications Manager flaw (CVE-2026-20230) allowing attackers to gain root privileges via low-complexity SSRF attacks.
– The vulnerability only affects systems with the WebDialer service enabled, which is disabled by default.
– Cisco is aware of public proof-of-concept exploit code for CVE-2026-20230 but has not seen active exploitation.
– No workarounds exist; Cisco recommends installing versions 14SU6 or 15SU5, or disabling WebDialer service as a temporary mitigation.
– In January, Cisco fixed another critical Unified CM zero-day (CVE-2026-20045) actively exploited in remote code execution attacks.
Cisco has released security patches addressing a critical-severity vulnerability in its Unified Communications Manager (Unified CM) platform, a flaw that could allow attackers to gain full root privileges on affected systems.
The Cisco Unified CM, previously known as Cisco CallManager, functions as the central hub for Cisco IP telephony infrastructure. It manages device registration, call routing, and various telephony features across an organization.
Tracked as CVE-2026-20230, this vulnerability is exploitable remotely by unauthenticated attackers through low-complexity server-side request forgery (SSRF) attacks. Cisco’s advisory explains the mechanics clearly: “An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root.”
The company assigned a Critical Security Impact Rating (SIR) despite the numerical score suggesting a lower severity. Cisco justified this decision by noting that successful exploitation could directly lead to an attacker achieving root-level privileges on the system.
Cisco’s Product Security Incident Response Team (PSIRT) has confirmed that proof-of-concept exploit code for CVE-2026-20230 is publicly available. However, the team has not observed any active exploitation or targeted attacks in the wild as of this writing.
There is a significant mitigating factor: the vulnerability only affects systems where the WebDialer service is enabled, and this service is disabled by default. Administrators can verify whether WebDialer is active by logging into Cisco Unified CM Administration, navigating to “Cisco Unified Serviceability,” clicking “Go,” and checking the service status under Tools > CTI Services in the “Control Center – Feature Services” menu.
No workarounds exist for this vulnerability, so Cisco strongly recommends installing Unified CM versions 14SU6 or 15SU5 (September 2026 or COP). As a temporary measure, administrators can disable the WebDialer service to block any incoming attacks targeting CVE-2026-20230 until a patch is applied. To disable it, log into the Cisco Unified CM Administration interface, select “Cisco Unified Serviceability” from the Navigation menu, choose “Service Activation” under the Tools menu, uncheck the “Cisco WebDialer Web Service” checkbox in the CTI Services section, and click Save.
This is not the first critical Unified CM flaw Cisco has addressed recently. In January, the company patched CVE-2026-20045, another critical vulnerability that was actively exploited as a zero-day in remote code execution attacks.
Over the past several years, Cisco has removed a backdoor account from Unified CM that allowed remote attackers to log into unpatched devices with root privileges. The company also fixed CVE-2024-20253, a flaw that enabled threat actors to gain root access to vulnerable systems.
According to data from the U. S. Cybersecurity and Infrastructure Security Agency (CISA), 91 Cisco vulnerabilities have been tagged as actively exploited in the wild over the past five years. Of those, six have been leveraged by various ransomware operations.
(Source: BleepingComputer)
