CVE-2026-20230 — Cisco Unified CM: WebDialer SSRF to arbitrary file write to root, reconnaissance-stage exploitation observed

Cisco PSIRT's advisory (2026-06-03) for CVE-2026-20230 (CVSS 8.6, CWE-918 SSRF) describes a flaw in the WebDialer service of Cisco Unified Communications Manager (Unified CM) releases 14 and 15: the service fails to validate HTTP requests, so an unauthenticated remote attacker can send a crafted request with a file:// payload to write arbitrary files to the underlying OS, which Cisco states can subsequently be used to escalate to root (Cisco PSIRT, 2026-06-03; BleepingComputer, 2026-06-23). WebDialer is disabled by default, so exposure requires it to have been enabled. Threat-intelligence firm Defused observed exploitation over the weekend of ~2026-06-21/22 from a single source IP, writing a marker file (/tmp/cve-2026-20230-test.txt) — a vulnerability-fingerprinting pattern that historically precedes a targeted exploitation wave. A public PoC (SSD Secure Disclosure) exists. Not KEV-listed as of this run. Patched in 14SU6 for Release 14, with a COP interim fix for Release 15 (full 15SU5 is not due until September 2026). Maps to T1190 (Exploit Public-Facing Application) and T1068 (privilege escalation via the written file). Defenders with internet-facing Unified CM should disable WebDialer if unused (Service Parameters → Cisco WebDialer Web Service), and hunt WebDialer access logs for file:// URIs and unexpected file-creation events (Sysmon EID 11 / auditd) outside normal WebDialer paths — without treating absence of the marker file as proof of safety, since it is trivially cleaned up.