InfoSecBulletin Cybersecurity for mankind
Cisco has fixed a flaw in Unified Communications Manager that allows an attacker on the network to write files to the system and then gain full access. It is known as CVE-2026-20230, and proof of concept exploit code is already available. Cisco’s PSIRT says they have not seen anyone use this flaw in attacks yet.
The flaw is a server-side request forgery. Unified CM and its Session Management Edition do not check some HTTP requests correctly, so a fake request can make the server write random files on the operating system. These files are the entry point. Cisco says they can be used later to gain root access, which is the highest permission on the system.
Hackers Target Cloudflare-Hosted AWS Domains to Steal Console Logins
Daily Cyber security update for 26. 06. 2026
WhatsApp to Alert Users Before Chatting With New Numbers
OpenAI unveils its first custom chip, Named Jalapeño
Bajaj Auto System Hit by a Ransomware Attack
Cisco Unified CM flaw CVE-2026-20230 exploited in attacks
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
The two steps cause the score and rating to be different. The CVSS base is 8.6: it counts the file write (which only affects integrity, not confidentiality or availability) but not the root access that comes after. Cisco still rated the advisory as Critical, since the final result is complete root access.
There is one good thing: the problem only happens when the WebDialer service is on, and WebDialer is off by default. This won’t help any setup that has turned it on.
To check, open Cisco Unified CM Administration and switch to Cisco Unified Serviceability. Under Tools > Control Center – Feature Services, look at the Cisco WebDialer Web Service status in the CTI Services section. Started means you are exposed.
Patching is the only real solution. For train 14, use 14SU6. For train 15, the complete Service Update (15SU5) will not be ready until September 2026, so for now, you can use the temporary COP patch or turn off WebDialer (uncheck it under Tools > Service Activation and save). An independent researcher with SSD Secure Disclosure found the bug.
Unified CM has been a constant source of serious problems. Last July, Cisco removed a hard-coded root SSH account that was left over from development (CVE-2025-20309, CVSS 10).
In January, it fixed an unprotected RCE in some of its voice products (CVE-2026-20045) that was already being used by hackers, prompting CISA to add it to its list of known exploits.
This fits the pattern: a request that should not have touched anything important, but it did. With a public PoC and the 15-train fix still months away, assume someone to change that file-write into a real attack before the fixes are widespread.
