ctipilot.ch

Cisco Unified Communications Manager WebDialer unauthenticated SSRF → OS-root file write (SIR Critical); fix 14SU6 / Release 15 COP

cve · CVE-2026-20230 single-source

Coverage timeline
3
first 2026-06-04 → last 2026-06-29
Peak priority
high
2 high · 1 notable
Sources cited
2
2 hosts
Sections touched
2
trending-vulnerabilities, weekly-vuln-rollup
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
2
pinned v19.1 · see below

ATT&CK techniques

2 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-06-24/cve-2026-20230-cisco-unified-cm-webdialer-ssrf-to-arbitrary · ATT&CK page ↗

Privilege Escalation TA0004

T1068Exploitation for Privilege Escalation×1

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

Evidence: 2026-06-24/cve-2026-20230-cisco-unified-cm-webdialer-ssrf-to-arbitrary · ATT&CK page ↗

Story timeline

  1. 2026-06-29CVE-2026-20230 — Cisco Unified CM WebDialer: pre-auth SSRF to arbitrary root file write, reconnaissance-stage scanning observed
    weekly-vuln-rollup
  2. 2026-06-24CVE-2026-20230 — Cisco Unified CM: WebDialer SSRF to arbitrary file write to root, reconnaissance-stage exploitation observed
    trending-vulnerabilities
  3. 2026-06-04CVE-2026-20230 — Cisco Unified Communications Manager: unauthenticated SSRF to OS-root file write
    trending-vulnerabilities

Where this entity is cited

  • trending-vulnerabilities2
  • weekly-vuln-rollup1

Source distribution

  • bleepingcomputer.com1 (50%)
  • sec.cloudapps.cisco.com1 (50%)

explore in graph

Entries about Cisco Unified Communications Manager WebDialer unauthenticated SSRF → OS-root file write (SIR Critical); fix 14SU6 / Release 15 COP (3)

2026-06-29 · view entry permalink →

NOTABLECVE-2026-20230exploited

CVE-2026-20230 — Cisco Unified CM WebDialer: pre-auth SSRF to arbitrary root file write, reconnaissance-stage scanning observed

Cisco PSIRT's advisory describes an SSRF in the WebDialer service of Unified CM 14/15 that lets an unauthenticated attacker write files to the OS and later escalate to root. The in-window signal: exploitation moved to reconnaissance stage, with a PoC that fingerprints vulnerable devices. Unified CM is core telephony for many cantonal and hospital networks — patch before the scanning becomes exploitation.

Cisco PSIRT's advisory describes an SSRF in the WebDialer service of Unified CM 14/15 that lets an unauthenticated attacker write files to the OS and later escalate to root.

ctipilot v2 brief (migrated)
vulnerability29 Jun 00:21Zmulti-sourceOpen finding ↗

2026-06-24 · view entry permalink →

HIGHCVE-2026-20230exploited

CVE-2026-20230 — Cisco Unified CM: WebDialer SSRF to arbitrary file write to root, reconnaissance-stage exploitation observed

Cisco PSIRT's advisory (2026-06-03) for CVE-2026-20230 (CVSS 8.6, CWE-918 SSRF) describes a flaw in the WebDialer service of Cisco Unified Communications Manager (Unified CM) releases 14 and 15: the service fails to validate HTTP requests, so an unauthenticated remote attacker can send a crafted request with a file:// payload to write arbitrary files to the underlying OS, which Cisco states can subsequently be used to escalate to root (Cisco PSIRT, 2026-06-03; BleepingComputer, 2026-06-23). WebDialer is disabled by default, so exposure requires it to have been enabled. Threat-intelligence firm Defused observed exploitation over the weekend of ~2026-06-21/22 from a single source IP, writing a marker file (/tmp/cve-2026-20230-test.txt) — a vulnerability-fingerprinting pattern that historically precedes a targeted exploitation wave. A public PoC (SSD Secure Disclosure) exists. Not KEV-listed as of this run. Patched in 14SU6 for Release 14, with a COP interim fix for Release 15 (full 15SU5 is not due until September 2026). Maps to T1190 (Exploit Public-Facing Application) and T1068 (privilege escalation via the written file). Defenders with internet-facing Unified CM should disable WebDialer if unused (Service Parameters → Cisco WebDialer Web Service), and hunt WebDialer access logs for file:// URIs and unexpected file-creation events (Sysmon EID 11 / auditd) outside normal WebDialer paths — without treating absence of the marker file as proof of safety, since it is trivially cleaned up.

A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root.

Cisco PSIRT

the PoC observed by Defused appears designed to identify vulnerable devices

BleepingComputer
vulnerability24 Jun 05:11Zmulti-sourceOpen finding ↗

2026-06-04 · view entry permalink →

CVE-2026-20230 — Cisco Unified Communications Manager: unauthenticated SSRF to OS-root file write

Cisco PSIRT disclosed an SSRF in the Unified CM / Unified CM SME WebDialer service where improper HTTP input validation lets an unauthenticated remote attacker coerce the device into fetching an attacker URL and writing the response to arbitrary OS locations — a write primitive Cisco states "could be used later to elevate to root" via a drop into cron/service directories (Cisco PSIRT, 2026-06-03). Cisco rates it Critical (SIR) despite CVSS 8.6 because of the root path. WebDialer is disabled by default; affected are Release 14 (pre-14SU6) and 15 (pre-15SU5). Cisco reports no confirmed in-the-wild exploitation at disclosure but states that proof-of-concept exploit code is publicly available — which compresses the window before opportunistic exploitation. Disable WebDialer if unused, patch to 14SU6 / apply the Release 15 COP, restrict admin-interface access to management networks, and hunt for unexpected outbound HTTP from Unified CM hosts.

A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root

Cisco PSIRT
vulnerability04 Jun 05:00Zsingle-sourceOpen finding ↗