en.Wedoany.com Reported - Cisco has fixed a vulnerability in Unified Communications Manager, tracked as CVE-2026-20230, which allows unauthenticated attackers on the network to write files to the device and subsequently escalate privileges to root. Proof-of-concept (PoC) exploit code has been publicly released. Cisco PSIRT stated that no active exploitation of this vulnerability has been observed, but the release of the PoC has shortened the attack window.

Classified as a Server-Side Request Forgery (SSRF) vulnerability, the flaw stems from Unified CM and its Session Management Edition failing to properly validate certain HTTP requests. Specially crafted requests can force the server to write arbitrary files to the underlying operating system, which attackers can then use as a springboard to escalate privileges to the highest system level, root. This two-step attack pattern has led to inconsistencies in the vulnerability score and rating. CVE-2026-20230 has a base CVSS score of 8.6 out of 10, which only evaluates the impact on integrity from the file writing step. The report explicitly states that this step "affects integrity only, with no loss of confidentiality or availability," without incorporating the subsequent root privilege escalation consequences. Cisco still rated the advisory as "Critical," citing that the attack can ultimately achieve full root privileges.

A mitigating factor exists for this vulnerability: it only affects deployments where the WebDialer service is running, which is disabled by default. For deployments where WebDialer is enabled, this mitigation does not apply. Administrators can check the status via Cisco Unified CM Administration, navigating to Cisco Unified Serviceability, then Tools > Control Center - Feature Services, and checking the Cisco WebDialer Web Service status under the CTI Services section. A status of "Started" indicates risk.

Applying patches is the only way to fix this vulnerability. For version 14, the corresponding patch is 14SU6. For version 15, the full service update (15SU5) will not be released until September 2026. Until then, interim COP patches must be used, or the WebDialer service must be disabled (by unchecking it in Tools > Service Activation and saving). The vulnerability was reported by an independent researcher in collaboration with SSD Secure Disclosure.

Unified CM has been a consistent source of unauthenticated root-level vulnerabilities. In July 2025, Cisco removed a hardcoded root SSH account (CVE-2025-20309, CVSS 10) left over from development. In January 2026, Cisco fixed an unauthenticated RCE vulnerability (CVE-2026-20045) in multiple voice products, which was exploited in the wild and added to the Known Exploited Vulnerabilities Catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The CVE-2026-20230 vulnerability follows a similar pattern, where requests that should not access sensitive information ultimately can. With the PoC publicly available and the fix for version 15 months away, it is foreseeable that this file write vulnerability could be used in real-world attacks before patches are fully deployed.

This article is compiled by Wedoany. All AI citations must indicate the source as "Wedoany". If there is any infringement or other issues, please notify us promptly, and we will modify or delete it accordingly. Email: news@wedoany.com