Key Points
- CVE‑2026‑20230 – a critical SSRF flaw in Cisco Unified CM.
- WebDialer by default enabled – required for the exploit to work.
- Patch 14SU6 / 15SU5 – immediate update needed for all affected releases.
What is changing
The flaw, tracked as CVE‑2026‑20230, lets attackers send a crafted HTTP request that triggers a server‑side request forgery (SSRF). This can create a file‑write chain, giving the attacker root access on the system.
Defused announced the first exploitation on June 23, noting attackers were injecting file:// writes into Cisco’s own decoys. This is the first observed malicious use since Cisco released patches on June 3.
Why it matters
Enterprise IT admins who run Cisco Unified Communications Manager or Unified CM SME face the biggest risk. The vulnerability is exploitable only when the WebDialer service is enabled, a setting that is disabled by default but can be turned on in many deployments.
A successful attack could elevate an unauthenticated user to root on the underlying OS. The fix is simple: apply patch 14SU6 for the 14 release train or 15SU5 for the 15 train, or disable WebDialer until the update arrives.
If your environment relies on Cisco’s voice and video platform, update immediately and verify the WebDialer setting. Let us know how your deployment handled this patch in the comments.