HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-20230Published Modified CNA cisco

CVE-2026-20230: A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected devi

A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device. This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root. Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root. Note: To exploit this vulnerability, the WebDialer service must be enabled. WebDialer is disabled by default.

Metrics

CVSS v3.1
8.6
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A server-side request forgery (SSRF) vulnerability exists in Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (Unified CM SME). The flaw is reachable over the network with no authentication required, exploited by sending a specially crafted HTTP request to the affected device. Successful exploitation allows an attacker to write arbitrary files to the underlying operating system, which can then be leveraged to escalate privileges to root. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Cisco publishes an upstream fix.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment. CVE-2026-20230 is ingested from upstream feeds, including the Cisco PSIRT advisory channel, within minutes of publication and matched against all customer images, including custom-built images containing Unified CM components.

Available
Triage

HarborGuard scores this finding at CVSS 8.6 HIGH (v3.1), with Cisco's own Security Impact Rating noting effective Critical severity due to the privilege-escalation path. Per-environment compliance policy weighting and team routing rules are applied automatically so the alert reaches the right inbox inside each customer organization.

Available
Patch

No fix version has been published by Cisco at this time. HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available and trigger the auto-remediation flow (rebuild, regression run, and PR against affected workloads) the moment an upstream fix is released, for customers with auto-remediation enabled.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the affected Unified CM device over the network by sending a crafted HTTP request to an exposed endpoint.

  • AuthenticationNot required

    No credentials or account are needed; the vulnerability is exploitable by any unauthenticated remote attacker.

  • Victim interactionNot required

    No user action or interaction is required; the attacker exploits the service directly.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable with no race conditions or environmental prerequisites, though the WebDialer service must be enabled on the target (it is disabled by default).

Blast Radius

  • Attacker writes arbitrary files to the underlying operating system of the Unified CM device.
  • Written files are used as a stepping stone to escalate privileges to root on the host.
  • With root access, an attacker gains full control over the communications platform, including call routing data, configuration, and any credentials stored on the system.
  • The scope impact is marked Changed (S:C), meaning the attacker can affect resources and systems beyond the vulnerable component itself.

How HarborGuard Handles This

Available on HarborGuard: because Cisco has not yet published a fix for CVE-2026-20230, HarborGuard continuously monitors the Cisco PSIRT advisory each ingest cycle and will trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression run and PR against affected workloads the moment an upstream fix appears. In the interim, the primary compensating control is to confirm the WebDialer service is disabled on all Unified CM deployments, since exploitation requires WebDialer to be active. Where network policy permits, applying ingress filtering to restrict HTTP access to the Unified CM administrative and service interfaces to trusted source ranges reduces the reachable attack surface. Customers can use HarborGuard compliance policies to flag any image running Unified CM with WebDialer enabled as a policy violation, routing it for manual review until a patch is available.

See how HarborGuard automates this
Affected packages
  • Cisco / Cisco Unified Communications Manager
    N/A
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
References