PT-2026-45987 · Cisco · Cisco Unified Communications Manager+1
Published
2026-06-03
·
Updated
2026-06-06
·
CVE-2026-20230
CVSS v3.1
8.6
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Cisco Unified Communications Manager (affected versions not specified)
Cisco Unified Communications Manager Session Management Edition (affected versions not specified)
Description
An issue in Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition allows an unauthenticated remote attacker to perform server-side request forgery (SSRF) attacks. This is caused by improper input validation for specific HTTP requests. A successful exploit enables the attacker to write files to the underlying operating system, which can subsequently be used to elevate privileges to root. This flaw is only exploitable if the WebDialer service is enabled, although it is disabled by default.
Recommendations
Apply Unified CM 14SU6.
As a temporary workaround, disable the WebDialer service.
Fix
LPE
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cisco Unified Communications Manager
Cisco Unified Communications Manager Session Management Edition