Home · Live brief · Daily brief 2026-06-24
CVE-2026-20230 — Cisco Unified CM: WebDialer SSRF to arbitrary file write to root, reconnaissance-stage exploitation observed
Part of run 2026-06-24-de656486 (intel · Claude Opus 4.8 (1M context))
Cisco PSIRT's advisory (2026-06-03) for CVE-2026-20230 (CVSS 8.6, CWE-918 SSRF) describes a flaw in the WebDialer service of Cisco Unified Communications Manager (Unified CM) releases 14 and 15: the service fails to validate HTTP requests, so an unauthenticated remote attacker can send a crafted request with a file:// payload to write arbitrary files to the underlying OS, which Cisco states can subsequently be used to escalate to root (Cisco PSIRT, 2026-06-03; BleepingComputer, 2026-06-23). WebDialer is disabled by default, so exposure requires it to have been enabled. Threat-intelligence firm Defused observed exploitation over the weekend of ~2026-06-21/22 from a single source IP, writing a marker file (/tmp/cve-2026-20230-test.txt) — a vulnerability-fingerprinting pattern that historically precedes a targeted exploitation wave. A public PoC (SSD Secure Disclosure) exists. Not KEV-listed as of this run. Patched in 14SU6 for Release 14, with a COP interim fix for Release 15 (full 15SU5 is not due until September 2026). Maps to T1190 (Exploit Public-Facing Application) and T1068 (privilege escalation via the written file). Defenders with internet-facing Unified CM should disable WebDialer if unused (Service Parameters → Cisco WebDialer Web Service), and hunt WebDialer access logs for file:// URIs and unexpected file-creation events (Sysmon EID 11 / auditd) outside normal WebDialer paths — without treating absence of the marker file as proof of safety, since it is trivially cleaned up.
“A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root.” — Cisco PSIRT
“the PoC observed by Defused appears designed to identify vulnerable devices” — BleepingComputer
Action items
- Remediate Cisco Unified CM CVE-2026-20230 if WebDialer is enabled on an internet-facing instance: apply 14SU6 (Release 14) or the Release-15 COP fix, or disable the Cisco WebDialer Web Service if unused; hunt WebDialer logs for
file://URIs and stray file-creation events (§ 2).