Cisco has patched a bug in Unified Communications Manager that could let an unauthenticated attacker on the network write a file to the box and gain root access from there.
It is tracked as CVE-2026-20230, and the proof-of-concept exploit code is already public. Cisco’s PSIRT says it has not yet seen the flaw used in the attacks. PoC shortens that runway.
The fault is server-side request forgery. Unified CM and its session management version fail to properly validate some HTTP requests, so a crafted request may cause the server to write arbitrary files to the underlying OS. Those files are the base. Cisco says these can later be used to elevate to root, the highest privileges on the system.
This is why scores and ratings disagree. CVSS is base 8.6: it scores the file write (an integrity-only impact, no confidentiality or availability loss) but not the root escalation that follows. Cisco has rated the advice Critical anyway, because the last state is full root.
One mitigating factor is this: the flaw only works when the WebDialer service is running, and WebDialer is turned off by default. This doesn’t help any deployments that have it turned on.
To check, open Cisco Unified CM Administration and switch to Cisco Unified Serviceability. Under Tools > Control Center – Feature Services, view the Cisco WebDialer Web Service status in the CTI Services section. Starting means you have been exposed.
Patching is the only real solution. For the 14 train, that’s 14SU6. For 15, the full service update (15SU5) is not due until September 2026, so until then, you are on the interim COP patch, or you turn off WebDialer (uncheck it under Tools > Service Activation and save). An independent researcher working with SSD Secure Disclosure reported the bug.
Unified CM has been a steady source of unauthenticated, core-level trouble. Last July, Cisco removed the hard-coded root SSH account that survived from development (CVE-2025-20309, CVSS 10).
In January, it patched an unpatched RCE in several of its voice products (CVE-2026-20045) that was already being exploited in the wild, enough for CISA to add it to its known-exploited list.
It fits this pattern: a request that should never have accessed something sensitive. With the POC public and a 15-train fix months in, let’s assume someone turns that file-write into a working attack before the patch is everywhere.
