Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public
The Hacker NewsArchived Jun 04, 2026✓ Full text saved
Cisco has patched a bug in Unified Communications Manager that lets an unauthenticated attacker on the network write files to the box and, from there, climb to root. It is tracked as CVE-2026-20230, and proof-of-concept exploit code is already public. Cisco's PSIRT says it has not seen the flaw used in attacks yet. The PoC shortens that runway. The flaw is a server-side request forgery.
Full text archived locally
✦ AI Summary· Claude Sonnet
Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public
Swati KhandelwalJun 04, 2026Vulnerability / Network Security
Cisco has patched a bug in Unified Communications Manager that lets an unauthenticated attacker on the network write files to the box and, from there, climb to root.
It is tracked as CVE-2026-20230, and proof-of-concept exploit code is already public. Cisco's PSIRT says it has not seen the flaw used in attacks yet. The PoC shortens that runway.
The flaw is a server-side request forgery. Unified CM and its Session Management Edition fail to validate certain HTTP requests properly, so a crafted request can push the server into writing arbitrary files onto the underlying OS. Those files are the foothold. Cisco says they can be used later to escalate to root, the top privilege on the system.
That two-step is why the score and the rating disagree. The CVSS base is 8.6: it scores the file write (an integrity-only impact, no confidentiality or availability loss) but not the root escalation that follows. Cisco rated the advisory Critical anyway, since the end state is full root.
There is one mitigating factor: the flaw only works when the WebDialer service is running, and WebDialer ships off by default. That does not help any deployment that has switched it on.
To check, open Cisco Unified CM Administration and switch to Cisco Unified Serviceability. Under Tools > Control Center - Feature Services, look at the Cisco WebDialer Web Service status in the CTI Services section. Started means you are exposed.
Patching is the only real fix. For the 14 train, that is 14SU6. For 15, the full Service Update (15SU5) is not due until September 2026, so until then, you are on the interim COP patch, or you turn WebDialer off (uncheck it under Tools > Service Activation and save). An independent researcher working with SSD Secure Disclosure reported the bug.
Unified CM has been a steady source of unauthenticated, root-level trouble. Last July, Cisco pulled a hard-coded root SSH account left in from development (CVE-2025-20309, CVSS 10).
In January, it patched an unauthenticated RCE across several of its voice products (CVE-2026-20045) that was already being exploited in the wild, enough for CISA to add it to its known-exploited list.
This one fits the pattern: a request that should never have reached anything sensitive, reaching it. With a PoC public and the 15-train fix months out, assume someone turns that file-write into a working attack before the patches are everywhere.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet
Share
Share
SHARE
CISA, cisco, network security, SSRF, Vulnerability
⚡ Top Stories This Week
GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure
Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm
Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited
Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer
Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit
⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More
Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal
AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites
ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface
Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions
Malicious npm Package Stole Files From Claude AI User Directory via GitHub
ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More
OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack
Oracle WebLogic CVE-2024-21182 Added to KEV Catalog After Active Exploitation
Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded
PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation
Load More ▼
⭐ Featured Resources
[Guide] The Real Security Risks of Shadow AI (And Where You’re Exposed)
Watch AI Turn Vulnerabilities Into Working Exploits in Minutes (See the Demo)
Learn How to Stop Attacks Before They Reach Your EDR – With PHASR
Your Employees Are Using AI in Ways You Can’t See – 2026 State of AI Report