CVE-2026-20230
Analyzed
Analyzed - Analysis Complete
Server-Side Request Forgery in Cisco Unified Communications Manager
Vulnerability report for CVE-2026-20230, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-03
Last updated on: 2026-07-01
Assigner: Cisco Systems, Inc.
Description
Description
A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device.
This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root.
Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root.
Note: To exploit this vulnerability, the WebDialer service must be enabled. WebDialer is disabled by default.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | unified_communications_manager | From 14.0 (inc) to 14su6 (exc) |
| cisco | unified_communications_manager | From 15.0 (inc) to 15su4a (inc) |
| cisco | unified_communications_manager | From 14.0 (inc) to 14su6 (exc) |
| cisco | unified_communications_manager | From 15.0 (inc) to 15su4a (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |