Cisco Unified CM SSRF Flaw (CVE-2026-20230) Added to CISA KEV

"A critical, unauthenticated server-side request forgery (SSRF) vulnerability in Cisco Unified Communications Manager can let remote attackers write files to the underlying OS and ultimately escalate to root."

A critical, unauthenticated server-side request forgery (SSRF) vulnerability in Cisco Unified Communications Manager can let remote attackers write files to the underlying OS and ultimately escalate to root.

What Is It

CVE-2026-20230 is a server-side request forgery (SSRF) vulnerability (CWE-918) in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME). It stems from improper input validation of specific HTTP requests. An unauthenticated, remote attacker can exploit it by sending a crafted HTTP request to an affected device, allowing the attacker to write files to the underlying operating system; files that could later be used to elevate privileges to root.

Why It Matters

Cisco assigned this advisory a Security Impact Rating (SIR) of Critical, higher than its CVSS 3.1 base score of 8.6 (HIGH; vector AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N), specifically because successful exploitation can result in root-level privilege escalation. The vulnerability requires no authentication and no user interaction, with low attack complexity. CISA added it to the Known Exploited Vulnerabilities (KEV) catalog on 2026-06-25, and CISA's SSVC assessment marks exploitation status as active. Known ransomware campaign use is listed as Unknown.

What's Vulnerable

Affected products are Cisco Unified Communications Manager (Unified CM) and Unified CM SME. Per Cisco, exploitation requires the WebDialer service to be enabled, which is disabled by default.

Patch Status

CISA's required action is to apply mitigations per Cisco's instructions, in compliance with CISA's BOD 26-04 (Prioritizing Security Updates Based on Risk) and CISA's "Forensics Triage Requirements." For cloud services, follow applicable BOD 26-04 guidance, or discontinue use of the product if mitigations are unavailable. Stakeholders must evaluate each asset's internet exposure and adhere to BOD 26-04 patching guidelines. The CISA due date is 2026-06-28.

Sources

CISA KEV Catalog; https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20230
Cisco Security Advisory; https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssrf-cXPnHcW
NVD, CVE-2026-20230, https://nvd.nist.gov/vuln/detail/CVE-2026-20230
CISA BOD 26-04; https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk