SSRF in Cisco Unified CM / Unified CM SME WebDialer
CVE-2026-20230 is a server-side request forgery vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME). The flaw is in the WebDialer service and is caused by improper input validation of specific HTTP requests. Available reporting indicates the vulnerable WebDialer servlet request-handling logic consumes attacker-controlled parameters such as redirect targets or directory server values and uses them to initiate outbound HTTP connections without adequate restriction. The validation does not sufficiently prevent access to loopback or private-address destinations, allowing an unauthenticated remote attacker to send crafted HTTP requests that cause the affected system to reach internal services. Through this SSRF primitive, the attacker can write files to the underlying operating system; those files can then be used in a subsequent step to elevate privileges to root. Cisco rated the issue Critical because of the root-escalation potential, although the underlying CVSS profile is lower.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
48 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical server-side request forgery vulnerability in Cisco Unified Communications Manager and Session Management Edition that allows an unauthenticated network attacker to write arbitrary files and potentially escalate privileges to root.
A critical Cisco Unified CM / Unified CM SME vulnerability caused by improper validation of certain HTTP requests that allows unauthenticated remote SSRF and could enable file writes that may later be used to escalate privileges to root.
A critical SSRF vulnerability in Cisco Unified Communications Manager and Unified CM Session Management Edition WebDialer service that can allow an unauthenticated remote attacker to send crafted HTTP requests, trigger SSRF behavior, and achieve arbitrary file write, potentially leading to privilege escalation to root.
A critical Cisco Unified Communications Manager vulnerability that can be exploited remotely via crafted HTTP requests against systems with WebDialer enabled, allowing file writes that can later lead to root privilege escalation.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.