Critical SSRF Vulnerability in Cisco Unified CM Exploited via Public PoC
A proof-of-concept (PoC) exploit has been released for a critical server-side request forgery (SSRF) vulnerability in Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (Unified CM SME), tracked as CVE-2026-20230. The flaw, rated 8.6 (High) on the CVSS v3.1 scale but classified as Critical by Cisco due to its potential for root-level privilege escalation, exposes vulnerable systems to remote exploitation.
The vulnerability arises from improper input validation in HTTP requests (CWE-918), allowing unauthenticated attackers to interact with internal services. By sending crafted HTTP requests, threat actors can perform SSRF attacks and write arbitrary files to the underlying OS, enabling privilege escalation and potential full system compromise. Exploitation is only possible if the Cisco WebDialer service disabled by default but active in some deployments is enabled.
The public release of the PoC exploit heightens the risk, as it provides attackers with a functional attack method. Security researchers confirm the exploit demonstrates SSRF-based file-writing capabilities, which could be used for persistence or further lateral movement, particularly in internet-facing or compromised internal networks.
Affected systems include Cisco Unified CM and Unified CM SME with the WebDialer service running. Administrators can check vulnerability status via the Cisco Unified CM Administration interface under Cisco Unified Serviceability > Control Center – Feature Services. If the Cisco WebDialer Web Service is marked as "Started," the system is exposed.
Cisco has released software updates to patch the flaw, with no official workarounds available. As a temporary mitigation, disabling the WebDialer service is recommended. Additional defensive measures include restricting access to management interfaces and monitoring for suspicious outbound HTTP requests or unauthorized file creation.
While no active compromises have been reported, organizations are urged to prioritize patching due to the high risk of exploitation and the potential for root-level access. The vulnerability underscores the urgency of securing enterprise communication systems against SSRF-based attacks.
Source: https://gbhackers.com/poc-exploit-released-for-cisco/
Cisco TPRM report: https://www.rankiteo.com/company/cisco
"id": "cis1780568638",
"linkid": "cisco",
"type": "Vulnerability",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Technology/Telecommunications',
'name': 'Cisco Unified Communications Manager (Unified '
'CM)',
'type': 'Enterprise communication system'},
{'industry': 'Technology/Telecommunications',
'name': 'Cisco Unified CM Session Management Edition '
'(Unified CM SME)',
'type': 'Enterprise communication system'}],
'attack_vector': 'Remote exploitation via crafted HTTP requests',
'description': 'A proof-of-concept (PoC) exploit has been released for a '
'critical server-side request forgery (SSRF) vulnerability in '
'Cisco Unified Communications Manager (Unified CM) and Unified '
'CM Session Management Edition (Unified CM SME), tracked as '
'CVE-2026-20230. The flaw allows unauthenticated attackers to '
'interact with internal services, perform SSRF attacks, and '
'write arbitrary files to the underlying OS, enabling '
'privilege escalation and potential full system compromise.',
'impact': {'operational_impact': 'Potential full system compromise, '
'root-level privilege escalation',
'systems_affected': 'Cisco Unified CM and Unified CM SME with '
'WebDialer service enabled'},
'lessons_learned': 'Urgency of securing enterprise communication systems '
'against SSRF-based attacks, importance of patching '
'critical vulnerabilities promptly',
'post_incident_analysis': {'corrective_actions': 'Software updates, disabling '
'vulnerable service, '
'enhanced monitoring',
'root_causes': 'Improper input validation in HTTP '
'requests (CWE-918)'},
'recommendations': 'Prioritize patching, disable WebDialer service if not in '
'use, restrict access to management interfaces, monitor '
'for suspicious activity',
'references': [{'source': 'Cisco Security Advisory'}],
'response': {'containment_measures': 'Disabling the WebDialer service, '
'restricting access to management '
'interfaces',
'enhanced_monitoring': 'Monitoring for suspicious outbound HTTP '
'requests or unauthorized file creation',
'remediation_measures': 'Software updates released by Cisco'},
'title': 'Critical SSRF Vulnerability in Cisco Unified CM Exploited via '
'Public PoC',
'type': 'SSRF (Server-Side Request Forgery)',
'vulnerability_exploited': 'CVE-2026-20230 (Improper input validation in HTTP '
'requests, CWE-918)'}