Cisco has released security updates to patch a critical-severity Unified Communications Manager (Unified CM) flaw that allows attackers to gain root privileges.
Cisco Unified CM (formerly known as Cisco CallManager) serves as the central control system for Cisco IP telephony systems, handling device management, call routing, and telephony features.
The vulnerability (tracked as CVE-2026-20230) can be exploited remotely by threat actors without privileges in low-complexity server-side request forgery (SSRF) attacks.
“An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root,” Cisco said.
“Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root.”
Cisco’s Product Security Incident Response Team (PSIRT) is aware of publicly available proof-of-concept exploit code for CVE-2026-20230, but has yet to find evidence of active exploitation or targeting.
Luckily, the vulnerability only impacts systems where the WebDialer service is enabled, and WebDialer is disabled by default.
To check whether WebDialer is enabled, log in to Cisco Unified CM Administration, go to “Cisco Unified Serviceability,” click “Go,” and check the service status in the Tools > CTI Services menu under “Control Center – Feature Services.”
While there are no workarounds to mitigate this vulnerability, and it’s highly recommended to install Cisco Unified CM versions 14SU6 or 15SU5 (Sep 2026 or COP), administrators can also disable the WebDialer service until a patch is applied to block any incoming CVE-2026-20230 attacks.
To disable WebDialer, go through the following steps:
- Log in to the Cisco Unified CM Administration interface.
- From the ‘Navigation’ menu, choose ‘Cisco Unified Serviceability and click Go.
- From the ‘Tools’ menu, choose ‘Service Activation.’
- In the ‘CTI Services’ section of the page, uncheck the ‘Cisco WebDialer Web Service’ checkbox, then click Save.
In January, Cisco fixed another critical Unified CM vulnerability (CVE-2026-20045) that has been actively exploited as a zero-day in remote code execution attacks.
Over the past several years, the company also removed a Unified CM backdoor account that allowed remote attackers to log in to unpatched devices with root privileges, and patched another flaw (CVE-2024-20253) that enabled threat actors to gain root access to vulnerable systems.
Over the past five years, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) tagged 91 Cisco vulnerabilities as actively exploited in the wild, six of which have been used by various ransomware operations.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
