Alerts
Critical Vulnerability in Cisco Unified Communications Manager
5 June 2026
Cisco released security updates to fix a critical vulnerability in Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition. Attackers can gain root privileges by exploiting the vulnerabilities. Users of affected products are advised to update to the latest versions immediately.
Background
Cisco has released security updates to address a server-side request forgery vulnerability (CVE-2026-20230) affecting Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME). This vulnerability has a Common Vulnerability Scoring System (CVSS v3.1) score of 8.6 out of 10. Cisco had also assigned a Security Impact Rating (SIR) of CRITICAL for this vulnerability as an attacker can gain root privileges if sucessfully exploited.
Impact
Due to improper input validation for specific HTTP requests, an unauthenticated attacker could send a crafted HTTP request to write files to the underlying operating system, which could subsequently be used to escalate privileges to root on the affected system.
Known Exploitation
A proof of concept is publicly available.
Affected Products
This vulnerability affects Cisco Unified CM and Cisco Unified CM SME if the WebDialer service is enabled. The following releases are affected:
Cisco Unified CM and Unified CM SME Release 14: versions prior to 14SU6
Cisco Unified CM and Unified CM SME Release 15: all versions prior to 15SU5
Mitigation
Users and administrators of affected products are advised to update to the latest versions immediately. As an interim measure, administrators who are unable to update immediately should disable the WebDialer service to mitigate this vulnerability.
References