LiveActive security incident?Get immediate response
CVE Record

CVE-2026-20230: Cisco Unified Communications Manager Server-Side Request Forgery Vulnerability

A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device. This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root. Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root. Note: To exploit this vulnerability, the WebDialer service must be enabled. WebDialer is disabled by default.

HighCVSS 8.6Known exploitedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

CVE-2026-20230 is a Cisco Unified Communications Manager SSRF flaw. A remote unauthenticated attacker can abuse affected systems when WebDialer is enabled. Successful exploitation can write files to the operating system and may later enable root-level compromise. Cisco rates the advisory Critical, and CISA lists it in KEV, indicating known exploitation.

Executive priority

Treat as urgent for any exposed Cisco call-management environment. The combination of unauthenticated remote access, possible root escalation path, Cisco Critical rating, and CISA KEV listing warrants rapid validation and remediation planning.

Technical view

Improper input validation for specific HTTP requests in Cisco Unified CM and Unified CM SME enables SSRF. The CVSS 3.1 score is 8.6 with network, low-complexity, no-authentication exploitation. Exploitation requires WebDialer enabled, which Cisco states is disabled by default. Impact is integrity-focused file write on the underlying OS with potential privilege escalation to root.

Likely exposure

Highest exposure is Cisco Unified CM or Unified CM SME reachable by attackers with WebDialer enabled. The provided affected version data lists multiple Cisco Unified CM 14 and 15 releases. Exposure is lower where WebDialer remains disabled, but validation is still needed because CISA KEV indicates real-world exploitation.

Exploitation context

CISA KEV supports active exploitation. Cisco states exploitation is unauthenticated and remote but requires WebDialer. A public researcher post is referenced as exploit-related, but this assessment does not include offensive details. Successful exploitation may create files used in a later root escalation path.

Researcher notes

The source bundle does not provide fixed-release details. Cisco’s advisory should be treated as authoritative for affected and corrected versions. The affected list in the bundle names Cisco Unified CM versions, while the description also names Unified CM SME. WebDialer enablement is the key precondition.

Mitigation direction

  • Check Cisco’s advisory for fixed releases and upgrade guidance.
  • Disable WebDialer if it is not required.
  • Restrict network access to Unified CM management and web interfaces.
  • Prioritize remediation for internet-accessible or untrusted-network reachable systems.
  • Monitor Cisco and CISA updates for revised affected or fixed version details.

Validation and detection

  • Inventory Cisco Unified CM and Unified CM SME deployments.
  • Confirm whether WebDialer is enabled on each system.
  • Compare installed versions against Cisco’s advisory.
  • Check whether systems are exposed to untrusted networks.
  • Review logs for unusual HTTP requests to Unified CM services.
Prepared
Confidence
high
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-918: Information exposure and cloud metadata lookup

Information exposure and SSRF weaknesses can make discovery, cloud metadata, and credential material review relevant. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Cloud metadata behavior lookup

The CVE wording references SSRF or metadata access, so cloud discovery and credential material review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-20230 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
8.6 (3.1)
Known Exploited
Yes
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
1ADP providers
4Source links

CISA KEV status

Status
Known exploited
Source
CISA KEV
Date added
Not provided
KEV reference

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: activeAutomatable: noTechnical Impact: total

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
8.6CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N3.94cisco

Vulnerability scoring details

Base CVSS 3.1 score

8.6High
CVSS 3.1 vector shape for CVE-2026-20230Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
CiscoCisco Unified Communications Manager14, 14SU1, 14SU2, 14SU3, 15, 15SU1, 14SU4, 14SU4a, 15SU1a, 15SU2, 15.0.1.13010-1, 15.0.1.13011-1, 15.0.1.13012-1, 15.0.1.13013-1, 15.0.1.13014-1, 15.0.1.13015-1, 15.0.1.13016-1, 15.0.1.13017-1, 15SU3a, 14SU5, 15SU4, 15SU4aunknown
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.