CVE-2026-20230 — Cisco Unified Communications Manager: unauthenticated SSRF to OS-root file write

Cisco PSIRT disclosed an SSRF in the Unified CM / Unified CM SME WebDialer service where improper HTTP input validation lets an unauthenticated remote attacker coerce the device into fetching an attacker URL and writing the response to arbitrary OS locations — a write primitive Cisco states "could be used later to elevate to root" via a drop into cron/service directories (Cisco PSIRT, 2026-06-03). Cisco rates it Critical (SIR) despite CVSS 8.6 because of the root path. WebDialer is disabled by default; affected are Release 14 (pre-14SU6) and 15 (pre-15SU5). Cisco reports no confirmed in-the-wild exploitation at disclosure but states that proof-of-concept exploit code is publicly available — which compresses the window before opportunistic exploitation. Disable WebDialer if unused, patch to 14SU6 / apply the Release 15 COP, restrict admin-interface access to management networks, and hunt for unexpected outbound HTTP from Unified CM hosts.