EXECUTIVE SUMMARY:
CVE-2026-20230 with a CVSS score of 8.6 is a severe SSRF flaw in Cisco Unified Communications Manager that affects release 14 (including 14SU6) and release 15 (including 15SU5) when the WebDialer service is enabled. The vulnerability arises because the WebDialer component improperly validates user‑supplied URLs, allowing an unauthenticated remote adversary to craft HTTP requests that the server forwards to internal resources. An attacker can exploit this by sending a malicious request to the WebDialer endpoint, which triggers the server to contact arbitrary internal addresses and write files to the underlying operating system, effectively achieving arbitrary file write and full system takeover. The business impact includes complete compromise of the call‑processing platform, potential exposure of confidential communications, disruption of telephony services, and downstream attacks on connected network assets. Exploitation requires only network access to the Cisco Unified CM web interface and the WebDialer feature to be active; because the service is disabled by default, organizations that have enabled it are directly exposed. The attack does not require prior credentials, but the presence of the enabled WebDialer service is a prerequisite for successful exploitation.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-20230 with a CVSS score of 8.6 is a severe SSRF flaw in Cisco Unified Communications Manager that affects release 14 (including 14SU6) and release 15 (including 15SU5) when the WebDialer service is enabled. The vulnerability arises because the WebDialer component improperly validates user‑supplied URLs, allowing an unauthenticated remote adversary to craft HTTP requests that the server forwards to internal resources. An attacker can exploit this by sending a malicious request to the WebDialer endpoint, which triggers the server to contact arbitrary internal addresses and write files to the underlying operating system, effectively achieving arbitrary file write and full system takeover. The business impact includes complete compromise of the call‑processing platform, potential exposure of confidential communications, disruption of telephony services, and downstream attacks on connected network assets. Exploitation requires only network access to the Cisco Unified CM web interface and the WebDialer feature to be active; because the service is disabled by default, organizations that have enabled it are directly exposed. The attack does not require prior credentials, but the presence of the enabled WebDialer service is a prerequisite for successful exploitation.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/cisco-unified-cm-vulnerability-public-poc/