CVE-2026-20230 – Cisco Unified Communications Manager
“An exposed communications platform can become the first step toward full system compromise.”
Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition have been updated to address CVE-2026-20230. This vulnerability has a CVSS score of 8.6, which is High severity. The issue is caused by improper input validation that can allow an unauthenticated remote attacker to perform server-side request forgery (SSRF) attacks against an affected system.
A successful attack could allow an attacker to write files to the underlying operating system, creating a path for later privilege escalation to root. Public proof-of-concept code has been reported for this vulnerability. Cisco assigned the issue a Critical Security Impact Rating because successful exploitation can ultimately lead to root-level compromise. The vulnerability is only exploitable when the WebDialer service is enabled, which is disabled by default.
Key Details
- Affected Product
- Cisco Unified Communications Manager
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- CWE Classification
- CWE-918