Cisco Unified Communications Manager SSRF Vulnerability (CVE-2026-20230) Advisory

Vulnerability Overview Vulnerability Name: Cisco Unified Communications Manager Server-Side Request Forgery Vulnerability CVE ID: CVE-2026-20230 CVSS Score: 8.6 Severity: Critical Publication Date: June 3, 2026 Vulnerability Description: This vulnerability allows an unauthenticated remote attacker to perform a Server-Side Request Forgery (SSRF) attack against the affected device by sending crafted HTTP requests. Successful exploitation of this vulnerability may allow an attacker to write files to the underlying operating system, thereby escalating privileges to root. Affected Products Affected Products: Cisco Unified CM and Unified CM SME, provided that the WebDialer service is enabled. Confirmed Not Affected Products: Only products listed in the "Vulnerable Products" section are considered affected; all others are confirmed not affected. Remediation Software Update: Cisco has released software updates to address this vulnerability. Temporary Workaround: Disable the WebDialer service. Follow the steps below: 1. Log in to the Cisco Unified CM administration interface. 2. From the navigation menu, select Cisco Unified Serviceability and click Go. 3. From the Tools menu, select Service Activation. 4. In the CTI Services section, clear the Cisco WebDialer Web Service check box and click Save. Exploit Code POC Code: No specific POC code or exploit code is provided on this page. Additional Information Vulnerability Source: Thanks to independent security researchers for reporting this vulnerability via the SSO Secure Disclosure program. Public Announcements: Cisco PSIRT is aware of proof-of-concept exploit code, but there is no evidence of malicious use. Related Links Vulnerability Details Link: Cisco Security Advisory Revision History Version 1.0: Initial public release, status Final, published on June 3, 2026. Legal Disclaimer Disclaimer: Includes detailed information regarding software downloads and technical support, as well as Cisco's disclaimer regarding documentation and materials. Footer Information Navigation Links: Include About Cisco, Contact Us, Careers, etc. Social Media Links: Provide links to Facebook, Twitter, LinkedIn, YouTube, and Instagram. Other Links: Include Feedback, Help, Terms & Conditions, Privacy, Cookies, Accessibility, Trademarks, Supply Chain Transparency, etc. Summary This vulnerability represents a critical security issue affecting Cisco Unified Communications Manager and Unified CM SME, provided that the WebDialer service is enabled. Cisco has released software updates to remediate this vulnerability and provided temporary workaround measures. Users are advised to apply the updates or implement the workaround measures as soon as possible.

Goal Reached Thanks to every supporter — we hit 100%!

Cisco Unified Communications Manager SSRF Vulnerability (CVE-2026-20230) Advisory