Cisco SSRF writes files to root (CVE-2026-20230) [PoC]

Actively exploited in the wild - CVE-2026-20230 is a high-severity server-side request forgery (SSRF) vulnerability in Cisco Unified Communications Manager and Unified CM Session Management Edition that lets unauthenticated attackers write files to the underlying operating system, which can be later used to escalate privileges to root. Cisco has released patches; update immediately.

Overview

CVE-2026-20230 affects Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME). The vulnerability stems from improper input validation for specific HTTP requests sent to the WebDialer service. An unauthenticated, remote attacker can trigger an SSRF attack by sending a crafted HTTP request to an affected device. Successful exploitation allows the attacker to write arbitrary files to the underlying OS, and those files can be leveraged later to elevate privileges to root.

Cisco assigned this vulnerability a Critical Security Impact Rating, though the CVSS score of 8.6 (High) reflects the initial severity. The reason for the Critical designation is that the end state of exploitation - root-level access - poses a far greater risk than the CVSS vector alone suggests.

The WebDialer service must be enabled for this attack to work. By default, WebDialer is disabled. Organizations that have not enabled WebDialer are not directly exposed to this exploit path.

Impact

An attacker who successfully exploits CVE-2026-20230 gains the ability to write files to the target system’s OS. Those files can be crafted to execute arbitrary code or commands, ultimately granting the attacker root access. The attack requires no authentication, no user interaction, and no special network position - it can be conducted remotely over the network.

Given active exploitation confirmed by CISA KEV and an EPSS score of 34.2%, the probability of widespread exploitation in the next 30 days is elevated.

Remediation

Cisco has released software updates addressing this vulnerability. Affected versions include:

• Cisco Unified CM versions prior to the fixed releases listed in the vendor advisory
• Cisco Unified CM SME versions prior to the fixed releases listed in the vendor advisory

Immediate actions:

1. Upgrade to the patched version as specified in Cisco’s security advisory.
2. If you cannot patch immediately, disable the WebDialer service on affected systems. This service is disabled by default; verify it is not enabled on your deployment.
3. Monitor systems for signs of unauthorized file writes or privilege escalation attempts.

For additional context, see the latest Weekly Threat Roundup: 56M Credentials Leaked (June 15-21) and Cisco Releases Security Updates for Actively Exploited for details on Cisco’s patch release timeline.

Security Insight

This vulnerability is a textbook example of why SSRF flaws remain a top-tier threat in enterprise communications platforms. By chaining file write to privilege escalation, Cisco’s own SIR rating acknowledges that attackers can reach root - the highest level of access - without needing any initial foothold. The fact that WebDialer is off by default is a rare defense-in-depth win, but organizations that enabled it for business purposes must now treat this as a priority patching event. The high EPSS score and active exploitation make this the kind of vulnerability that should be fixed before the end of the week.

Further Reading

• Weekly Threat Roundup: 56M Credentials Leaked (June 15-21)
• Cisco Releases Security Updates for Actively Exploited
• Weekly Threat Roundup: Ivanti & Chrome Zero-Days (June 8-14)
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs