"An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device," Cisco said in an advisory released earlier this month.
CVE-2026-20230: what the flaw does and how it behaves
The bug, tracked as CVE-2026-20230 and carrying a CVSS score of 8.6, stems from improper input validation for specific HTTP requests handled by Cisco Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME). According to Cisco, the flawed request handling can be leveraged to perform server-side request forgery (SSRF) against an affected device. Cisco warned that "a successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root."
Active exploitation reported by Defused Cyber
Security researcher group Defused Cyber posted on X earlier this week that it has observed active exploitation of CVE-2026-20230. Defused Cyber said the activity is "currently being exploited from a single source using an unvetted PoC, with genuinely-formatted file:// file-write payloads landing on our decoys." That description indicates attackers are using proof-of-concept (PoC) payloads that target file-write capabilities exposed via file:// URIs.
Why WebDialer matters — and how to check it
Successful exploitation requires that the WebDialer service be enabled; Cisco notes WebDialer is disabled by default. To determine whether an installation is exposed, administrators can follow these steps in the Cisco Unified CM administrative interface:
- Log in to the Cisco Unified CM Administration interface
- From the Navigation menu, choose Cisco Unified Serviceability and click Go
- From the Tools menu, choose Control Center - Feature Services
- In the CTI Services section of the page, check whether the current status of the Cisco WebDialer Web Service is Started or Not Running
- If the status is Started, WebDialer is enabled
Cisco has advised that if immediate patching is not possible, organizations should disable the WebDialer service until a fix can be applied.
Patches released and additional technical detail from SSD Secure Disclosure
Cisco published fixes in Unified CM and Unified CM SME versions 14SU6 and 15SU5. Separately, SSD Secure Disclosure released further technical specifics describing how the WebDialer component can be leveraged to obtain the true hostname of the target and thereby allow unauthenticated attackers to arbitrarily write files on the server, ultimately achieving code execution.
What this means for technologists, affected enterprises, and adversaries
Technologists and security teams: Validate whether WebDialer is running in your Unified CM or Unified CM SME environment and apply the 14SU6 or 15SU5 updates where possible. If patching cannot be performed immediately, disable WebDialer as Cisco recommends.
Affected enterprises and procurement leaders: Prioritize inventories of Unified CM and Unified CM SME appliances and virtual instances to identify any systems running WebDialer. Track application of the 14SU6/15SU5 patches and verify post-patch remediation.
Adversaries and incident responders: Defused Cyber’s report that exploitation has been observed "from a single source using an unvetted PoC" suggests the current activity is limited in origin but demonstrably effective against exposed systems; defenders should monitor for similar file:// file-write indicators on honeypots and production telemetry.
Context and near-term implications
Cisco has not yet updated its advisory to reflect the reported exploitation. The combination of an unauthenticated SSRF vector, a documented file-write path and public PoC activity elevates the operational risk for any deployed system with WebDialer enabled. The vendor’s simultaneous recent attention to actively exploited flaws is notable: last week Cisco released security updates for a separate, medium-severity vulnerability in Catalyst SD‑WAN Manager (CVE-2026-20262, CVSS score: 6.5) that Cisco said has come under active exploitation in the wild.
The documented facts in this incident are straightforward: a high-severity SSRF bug, public technical detail from SSD Secure Disclosure, observed exploitation reported by Defused Cyber, and vendor patches in 14SU6 and 15SU5 with an interim mitigation (disable WebDialer). What remains visible now is whether the exploitation will expand beyond the single source described by Defused Cyber and whether organizations have applied the patches or disabled WebDialer in time.
