CISA Warns Cisco Unified CM Flaw Is Being Exploited in Attacks

CISA has added CVE-2026-20230, a Cisco Unified Communications Manager vulnerability, to its Known Exploited Vulnerabilities catalog after confirming active exploitation. The agency set a June 28, 2026 remediation deadline for affected federal systems listed in the CISA KEV catalog.

The flaw affects Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition when the WebDialer service is enabled. Cisco fixed the issue in its Cisco security advisory, first published on June 3, 2026.

The vulnerability lets an unauthenticated remote attacker send crafted HTTP requests that trigger a server-side request forgery attack. According to the NVD entry for CVE-2026-20230, successful exploitation could allow files to be written to the underlying operating system and later used to elevate privileges to root.

Why CVE-2026-20230 is urgent

CVE-2026-20230 matters because it targets enterprise voice and collaboration infrastructure. Unified CM systems often sit deep inside corporate networks, where they can connect to identity services, internal routing, call management systems, and administrative tools.

Cisco assigned the advisory a Critical Security Impact Rating even though the CVSS 3.1 base score is 8.6 High. The company says the higher rating reflects the possibility of root-level privilege escalation after file writing.

The flaw sits in the WebDialer service. Cisco says WebDialer is disabled by default, but organizations that enabled it for click-to-call or related calling workflows should treat exposed systems as high-risk until they patch or mitigate them.

Affected Cisco products

Product	Affected condition	Risk
Cisco Unified Communications Manager	WebDialer service enabled	SSRF, file write, possible root escalation
Cisco Unified Communications Manager Session Management Edition	WebDialer service enabled	SSRF, file write, possible root escalation

The Canadian Centre for Cyber Security also warned administrators about the issue in its Cisco advisory update. It noted that proof-of-concept exploit code is available and that CISA added the vulnerability to the KEV database on June 25, 2026.

The affected release information is narrow but important. The Canadian cyber advisory lists Cisco Unified CM and Unified CM SME Release 14 versions before 14SU6, plus Release 15 versions before 15SU5 or the applicable Cisco Option Package.

Security teams should confirm both the product version and whether WebDialer is running. A system with WebDialer disabled does not meet Cisco’s stated exploitation condition, but administrators should still apply the fixed software where possible.

What attackers can do with the Cisco flaw

The vulnerability comes from improper input validation for specific HTTP requests. An attacker can exploit the issue by sending a crafted request to an affected device.

The main impact is file writing to the operating system. That file-write ability can create a foothold for later privilege escalation, especially if attackers place files in locations that help them execute code or modify service behavior.

• The attack does not require authentication.
• The attacker must reach an affected Cisco Unified CM or Unified CM SME system.
• The WebDialer service must be enabled.
• Successful exploitation can write files to the operating system.
• Those files could later support root-level compromise.

CISA sets a short remediation deadline

CISA’s deadline is unusually short because the vulnerability is already being exploited. Under BOD 26-04, federal civilian agencies must prioritize high-risk vulnerabilities based on exposure, exploitation, automation, and technical impact.

The KEV entry tells agencies to apply vendor mitigations, follow CISA’s forensic triage requirements, evaluate internet exposure, and discontinue use of the product if mitigations are unavailable. The same steps also offer useful guidance for private organizations, even when the directive does not legally apply to them.

CISA’s risk-based patching directive replaced slower vulnerability handling with tighter timelines for the most dangerous cases. CVE-2026-20230 fits that model because attackers have already moved beyond theory.

How administrators should respond

Cisco says there are no workarounds that fully address the vulnerability. However, administrators can temporarily disable the WebDialer service until they apply fixed software, according to the Cisco Unified CM advisory.

That mitigation should not replace patching. Cisco recommends upgrading to a fixed release, including 14SU6 for Release 14 and 15SU5 or the relevant Cisco Option Package for Release 15.

1. Check whether Cisco Unified CM or Unified CM SME is deployed.
2. Confirm whether the WebDialer service is enabled.
3. Apply the fixed Cisco software release or package.
4. Temporarily disable WebDialer if patching cannot happen immediately.
5. Review logs for suspicious HTTP requests and unexpected file writes.
6. Run forensic triage on internet-exposed or suspicious systems.

What security teams should investigate

Organizations should look for signs that attackers attempted to use SSRF behavior against Unified CM systems. Unusual outbound requests, unexpected local file creation, and unexplained service behavior deserve immediate review.

The National Vulnerability Database confirms that exploitation requires WebDialer to be enabled and notes that Cisco assigned the issue to CWE-918, the category for server-side request forgery. That helps vulnerability teams map the flaw to existing SSRF detection and response procedures.

The CISA entry does not currently link CVE-2026-20230 to a known ransomware campaign. Even so, the combination of unauthenticated access, file writing, and potential root escalation makes rapid remediation the safest response.

FAQ