A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device.
This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root.
Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root.
Note: To exploit this vulnerability, the WebDialer service must be enabled. WebDialer is disabled by default.
Security readout for executives and security teams
Plain-English summary
CVE-2026-20230 is a Cisco Unified Communications Manager SSRF flaw. A remote unauthenticated attacker can abuse affected systems when WebDialer is enabled. Successful exploitation can write files to the operating system and may later enable root-level compromise. Cisco rates the advisory Critical, and CISA lists it in KEV, indicating known exploitation.
Executive priority
Treat as urgent for any exposed Cisco call-management environment. The combination of unauthenticated remote access, possible root escalation path, Cisco Critical rating, and CISA KEV listing warrants rapid validation and remediation planning.
Technical view
Improper input validation for specific HTTP requests in Cisco Unified CM and Unified CM SME enables SSRF. The CVSS 3.1 score is 8.6 with network, low-complexity, no-authentication exploitation. Exploitation requires WebDialer enabled, which Cisco states is disabled by default. Impact is integrity-focused file write on the underlying OS with potential privilege escalation to root.
Likely exposure
Highest exposure is Cisco Unified CM or Unified CM SME reachable by attackers with WebDialer enabled. The provided affected version data lists multiple Cisco Unified CM 14 and 15 releases. Exposure is lower where WebDialer remains disabled, but validation is still needed because CISA KEV indicates real-world exploitation.
Exploitation context
CISA KEV supports active exploitation. Cisco states exploitation is unauthenticated and remote but requires WebDialer. A public researcher post is referenced as exploit-related, but this assessment does not include offensive details. Successful exploitation may create files used in a later root escalation path.
Researcher notes
The source bundle does not provide fixed-release details. Cisco’s advisory should be treated as authoritative for affected and corrected versions. The affected list in the bundle names Cisco Unified CM versions, while the description also names Unified CM SME. WebDialer enablement is the key precondition.
Mitigation direction
Check Cisco’s advisory for fixed releases and upgrade guidance.
Disable WebDialer if it is not required.
Restrict network access to Unified CM management and web interfaces.
Prioritize remediation for internet-accessible or untrusted-network reachable systems.
Monitor Cisco and CISA updates for revised affected or fixed version details.
Validation and detection
Inventory Cisco Unified CM and Unified CM SME deployments.
Confirm whether WebDialer is enabled on each system.
Compare installed versions against Cisco’s advisory.
Check whether systems are exposed to untrusted networks.
Review logs for unusual HTTP requests to Unified CM services.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-918: Information exposure and cloud metadata lookup
Information exposure and SSRF weaknesses can make discovery, cloud metadata, and credential material review relevant. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references SSRF or metadata access, so cloud discovery and credential material review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
Exploitation: activeAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.