InfoSecBulletin Cybersecurity for mankind
Cisco has fixed a flaw in Unified Communications Manager that allows an attacker on the network to write files to the system and then gain full access. It is known as CVE-2026-20230, and proof of concept exploit code is already available. Cisco’s PSIRT says they have not seen anyone use this flaw in attacks yet.
The flaw is a server-side request forgery. Unified CM and its Session Management Edition do not check some HTTP requests correctly, so a fake request can make the server write random files on the operating system. These files are the entry point. Cisco says they can be used later to gain root access, which is the highest permission on the system.
CVE-2026-20230
Cisco Patches in Unified CM as Exploit Code Goes Public
1-Click GitHub Token Flaw Allows Attackers Steal Users’ OAuth Tokens
TP-Link Router Flaw Enables Remote Command Execution Attacks
ALERT
Google patches one exploited Android zero-day and 124 issues
CISA warns two-year-old Oracle Vuln as actively exploited in attacks
Hackers Use Meta’s AI Bot to Take Over Instagram Accounts
Anthropic confirms Claude Mythos-class models will be public
Threat Actors Fake FIFA Sites to Steal Personal Info
CISA gives feds 4 days to fix cPanel plugin vulnerability
ALERT
FortiClient EMS Code Execution Flaw Exploited to Deploy Malware
The two steps cause the score and rating to be different. The CVSS base is 8.6: it counts the file write (which only affects integrity, not confidentiality or availability) but not the root access that comes after. Cisco still rated the advisory as Critical, since the final result is complete root access.
There is one good thing: the problem only happens when the WebDialer service is on, and WebDialer is off by default. This won’t help any setup that has turned it on.
To check, open Cisco Unified CM Administration and switch to Cisco Unified Serviceability. Under Tools > Control Center – Feature Services, look at the Cisco WebDialer Web Service status in the CTI Services section. Started means you are exposed.
Patching is the only real solution. For train 14, use 14SU6. For train 15, the complete Service Update (15SU5) will not be ready until September 2026, so for now, you can use the temporary COP patch or turn off WebDialer (uncheck it under Tools > Service Activation and save). An independent researcher with SSD Secure Disclosure found the bug.
Unified CM has been a constant source of serious problems. Last July, Cisco removed a hard-coded root SSH account that was left over from development (CVE-2025-20309, CVSS 10).
In January, it fixed an unprotected RCE in some of its voice products (CVE-2026-20045) that was already being used by hackers, prompting CISA to add it to its list of known exploits.
This fits the pattern: a request that should not have touched anything important, but it did. With a public PoC and the 15-train fix still months away, assume someone to change that file-write into a real attack before the fixes are widespread.
