- cisco
- cucm
- ssrf
- rce
- cve
- voip
- telecom
news
Cisco CUCM SSRF to RCE Chain (CVE-2026-20230)
Sploitus-indexed PoC analysis chains unauthenticated WebDialer SSRF through Axis internals to arbitrary file write and RCE.
Summary
CVE-2026-20230 is a server-side request forgery (SSRF) vulnerability in Cisco Unified Communications Manager (Unified CM / CUCM) and Unified CM Session Management Edition (SME). Under specific configurations — notably with WebDialer enabled — unauthenticated attackers can coerce the appliance into accessing internal services. Public analyses indexed on Sploitus describe chaining SSRF through cmplatform / Axis mechanics to arbitrary file write and potential root-level code execution. Cisco rates CVSS 3.1: 8.6 with Critical security impact due to OS file-write escalation.
OFFSITE.DARK summarizes the indexed defensive analysis only; Sploitus is the aggregation source.
Technical Details
| Aspect | Detail |
|---|---|
| CVE | CVE-2026-20230 |
| Products | Cisco Unified CM, Unified CM SME |
| Primitive | SSRF → internal Axis/WebDialer paths → file write |
| Prerequisite | WebDialer service enabled (disabled by default) |
| Auth | None for initial SSRF stage |
| CVSS 3.1 | 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N) |
Indexed chain overview:
WebDialer WSDL / hostname discovery
│
▼
SSRF via cmplatform-related interfaces
│
▼
Internal Axis / WebDialer management paths
│
▼
Controlled content written to OS or web paths
│
▼
RCE via web container or service loading (config-dependent)
Assessors should not equate HTTP 200 on WebDialer URLs with exploitability — version, patch level, hostname resolution, and WebDialer state all gate the chain.
CVE
| Field | Value |
|---|---|
| CVE | CVE-2026-20230 |
| Cisco SIR | Critical (file write / potential root) |
| Sploitus date | 2026-06-25 |
| Indexed content | Defensive chain analysis (no weaponized payloads in OFFSITE.DARK summary) |
Impact
Telecom and enterprise voice teams running internet-exposed CUCM with WebDialer face full appliance compromise risk — toll fraud, call interception, lateral movement into voice VLANs, and credential exposure on integrated identity systems.
Mitigation
- Apply Cisco security fixes for CVE-2026-20230 per vendor advisory.
- Disable WebDialer unless operationally required.
- Restrict network access to CUCM admin and WebDialer interfaces; no public internet exposure.
- Monitor for SSRF indicators: internal loopback/hostname requests from CUCM to itself, unexpected files under web or Axis deployment paths.
- Inventory CUCM assets and confirm patch status before threat actors mass-scan indexed PoC logic.
Sources
- Sploitus — CVE-2026-20230 analysis (index reference)
- Cisco Security Advisory (verify current URL on Cisco PSIRT portal)