- Cisco has patched a critical server-side request forgery vulnerability, CVE-2026-20230, in its Unified Communications Manager and Session Management Edition.
- The flaw allows an unauthenticated attacker on the network to write files to the system and then escalate privileges to gain full root access.
- Public proof-of-concept exploit code exists, increasing the risk, though Cisco has not yet observed active exploitation in the wild.
- The vulnerability is only exploitable if the WebDialer service is active, which is disabled by default in the software.
On June 4, 2026, Cisco issued a critical patch for a serious flaw in its core voice communication platforms, which could allow attackers to gain complete control over affected systems. This server-side request forgery bug, tracked as CVE-2026-20230, lets an unauthenticated attacker write files directly to the operating system.
Consequently, attackers can use those files as a foothold to escalate privileges and achieve root access. The company’s product security incident response team confirms that no active attacks have been seen yet, but the public release of proof-of-concept exploit code shortens the time available for defenders to act.
However, a significant mitigating factor exists, as the vulnerability only works when the WebDialer service is running. This service is disabled by default in Cisco Unified Communications Manager deployments, which reduces the potential attack surface significantly.
Administrators can check the service status in the Cisco Unified Serviceability control panel under the CTI Services section. For systems where WebDialer is active, applying the provided patches is the only complete solution.
The interim fix for the 15.x software train is a COP patch, as the full Service Update is not scheduled until September 2026. Alternatively, administrators can deactivate the WebDialer service entirely through the Service Activation menu.
This incident follows a pattern of serious vulnerabilities found in Cisco‘s voice products recently. In January 2026, the company patched another unauthenticated remote code execution flaw, CVE-2026-20045, which was already being exploited in the wild.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
