Critical Cisco Unified CM SSRF Could Lead to Root Privilege Escalation
Cisco disclosed CVE-2026-20230, a server-side request forgery vulnerability in Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (Unified CM SME) that can be exploited remotely without authentication. The flaw stems from improper input validation in specific HTTP requests, and Cisco said successful exploitation could let an attacker write files to the underlying operating system and later escalate privileges to root. Cisco assigned the issue a Critical security impact rating even though the CVSS v3.1 profile is listed as High severity.
The vulnerability affects Release 14 versions prior to 14SU6 and Release 15 versions prior to 15SU5 or the relevant COP update. Cisco noted that exploitation requires the WebDialer service to be enabled, and that service is disabled by default, but Canadian authorities warned that proof-of-concept exploit code is available and urged organizations to review Cisco’s advisory and apply updates promptly.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Cisco releases fixes and mitigations for CVE-2026-20230
Cisco released fixes for CVE-2026-20230, including Unified CM 14SU6 and interim COP patches, and said Unified CM version 15 will be fixed in 15SU5 scheduled for September 2026. Cisco also advised administrators to consider disabling the WebDialer service as a temporary mitigation after assessing operational impact.
Cisco says PoC exploit code is available for CVE-2026-20230
Cisco stated that proof-of-concept exploit code is available for CVE-2026-20230. On the same date, Cisco published advisories covering multiple products, including a critical update for affected Unified CM and CM SME releases.
Cisco PSIRT receives CVE-2026-20230 entry
The CVE entry for CVE-2026-20230 was newly received by Cisco PSIRT. The entry references Cisco's security advisory for additional technical details.
Cisco publishes advisory for CUCM SSRF vulnerability
Cisco published a security advisory for CVE-2026-20230 affecting Cisco Unified Communications Manager and Unified CM SME. The issue is an unauthenticated server-side request forgery vulnerability that can allow file writes to the underlying operating system and potentially lead to root privilege escalation when WebDialer is enabled.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
Warning: High severity vulnerability in Cisco Unified Communications Manager with exploit PoC available, patch immediately! | CCB Belgium
ccb.belgium.be
Open sourceCVE-2026-20230 - Cisco Unified CM SSRF to Potential Root Escalation - TheCyberThrone
thecyberthrone.in
Open sourceCisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public
thehackernews.com
Open sourceCritical Cisco Unified CM Bug Patched as Public Exploit Code Emerges
securityaffairs.com
Open sourceCisco security advisory (AV26-547) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceCVE-2026-20230 - Cisco Unified Communications Manager SSRF Vulnerability
cvefeed.io
Open sourceCVE-2026-20230: CVE-2026-20230: Server-Side Request Forgery in Cisco Unified Communications Manager WebDialer Service | CVEReports
cvereports.com
Open sourceCisco Unified Communications Manager Server-Side Request Forgery Vulnerability
sec.cloudapps.cisco.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of Cisco Unified Communications RCE (CVE-2026-20045)
Cisco released fixes for a **critical remote code execution** vulnerability in Unified Communications and *Webex Calling Dedicated Instance*, tracked as **CVE-2026-20045**, after it was **actively exploited as a zero-day**. The issue stems from **improper validation of user-supplied input in HTTP requests** to the web-based management interface; successful exploitation can provide **user-level OS access** and enable **privilege escalation to root**. Affected products include **Cisco Unified Communications Manager (Unified CM)**, **Unified CM Session Management Edition (SME)**, **Unified CM IM & Presence**, **Cisco Unity Connection**, and **Webex Calling Dedicated Instance**; Cisco provided version-specific remediations including fixed releases and `.cop` patch files (e.g., `ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512`). CISA added **CVE-2026-20045** to its **Known Exploited Vulnerabilities (KEV) Catalog**, citing evidence of active exploitation and highlighting code injection flaws as a common attack vector with significant risk to the federal enterprise. Under **Binding Operational Directive (BOD) 22-01**, Federal Civilian Executive Branch agencies are required to remediate KEV-listed vulnerabilities by the specified due date, and CISA urged all organizations to similarly prioritize patching to reduce exposure to ongoing attacks.
Mar 21, 2026
Cisco patches max-severity Secure Firewall Management Center flaws enabling unauthenticated root access
Cisco released security updates for two **maximum-severity** vulnerabilities in *Cisco Secure Firewall Management Center (FMC)* that can be exploited remotely by **unauthenticated** attackers via crafted HTTP requests to the web-based management interface. The issues include an **authentication bypass** (**CVE-2026-20079**) that can lead to **root access** on the underlying operating system and a **remote code execution** flaw (**CVE-2026-20131**) that allows execution of arbitrary Java code as root on unpatched systems. The Canadian Centre for Cyber Security highlighted Cisco’s advisories and urged administrators to review Cisco guidance and apply updates, noting impact to **Cisco Security Cloud Control (SCC) Firewall Management** and **Cisco Secure FMC** across versions. Cisco stated its PSIRT had **no evidence of active exploitation** and no public PoC at the time of publication, while also issuing fixes for additional vulnerabilities (including multiple high-severity issues) across Cisco firewall management and firewall platforms.
Mar 26, 2026
Critical Cisco IMC Flaws Enable Authentication Bypass and Root Compromise
Cisco disclosed multiple vulnerabilities in its Integrated Management Controller (**IMC**), including the critical `CVE-2026-20093`, which allows a remote, unauthenticated attacker to send a crafted HTTP request to bypass authentication and change passwords for existing users, including the primary Admin account. Cisco rated the flaw **CVSS 9.8** and said no workarounds or mitigations are available, making vendor-issued software updates the only effective fix; the company added that it has no evidence of active exploitation or public malicious use. Additional advisories cover `CVE-2026-20094` through `CVE-2026-20097`, spanning command injection and arbitrary code execution issues that could let attackers execute commands or code as `root` and fully compromise affected systems. Impacted products include Cisco UCS C-Series and S-Series servers, UCS E-Series systems, Catalyst 8300 Series Edge uCPE, 5000 Series ENCS, and other Cisco appliances built on vulnerable UCS platforms, with Cisco publishing fixed-version guidance and upgrade paths while runZero released an inventory query to help organizations identify exposed IMC assets.
Apr 3, 2026