Vulnerability in Cisco Products Could Allow Server-Side Request Forgery

A vulnerability has been discovered in Cisco products that could allow server-side request forgery. Cisco Unified Communications Manager (Unified CM) / Cisco Unified Communications Manager Session Management Edition (Unified CM SME) is Cisco’s central call control and session management software platform for business communications.

Successful exploitation of this vulnerability could allow server-side request forgery, in which an attacker could write files to the underlying operating system that could later be used to escalate to the root level. Depending on where the attacker is able to write files, they may be able to execute commands or remotely access the affected device.

There are currently no reports of these vulnerabilities being exploited in the wild. Proof of concept code appears to exist publicly.

A vulnerability has been discovered in Cisco products that could allow server-side request forgery. The details of the vulnerability are as follows:

Tactical: Initial Access (TA0001):

Technique: Using an application intended for the public (T1190):

• A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) has been discovered and is remotely exploitable without authentication. If successfully exploited, this vulnerability can lead to server-side request forgery, allowing the attacker to write arbitrary files to the system. These files can be placed in automatically executed locations, allowing the attacker to execute remote commands or remotely access the compromised device. Organizations using Unified CM in Internet-connected or poorly segmented environments are at increased risk. To exploit this vulnerability, the WebDialer service must be enabled. WebDialer is disabled by default. (CVE-2026-20230)

Successful exploitation of this vulnerability could allow server-side request forgery, in which an attacker could write files to the underlying operating system that could later be used to escalate to the root level. Depending on where the attacker is able to write files, they may be able to execute commands or remotely access the affected device.

We recommend that the following actions be taken:

• Apply appropriate updates provided by Cisco or other vendors that use this software to vulnerable systems immediately after appropriate testing. (M1051: software update)
• Backup 7.1: Establish and maintain a vulnerability management process: Establish and maintain a documented vulnerability management process for company assets. Review and update documentation annually or when significant changes within the business occur that could impact this protection.
• Safeguard 7.2: Establish and maintain a remediation process: Establish and maintain a risk-based remediation strategy, documented in a remediation process, with monthly or more frequent reviews.
• Backup 7.4: Perform automated application patch management: Perform application updates to enterprise assets via automated patch management on a monthly or more frequent basis.
• Backup 7.5: Perform automated vulnerability scans of internal company assets: Perform automated vulnerability scans of internal company assets on a quarterly or more frequent basis. Perform authenticated and unauthenticated scans using a SCAP-compliant vulnerability scanning tool.
• Backup 7.7: Fix Detected Vulnerabilities: Fix detected vulnerabilities in software through processes and tools on a monthly or more frequent basis, depending on the remediation process.
• Backup 12.1: Ensure that the network infrastructure is up to date: Ensure that the network infrastructure is kept up to date. Example implementations include running the latest stable version of the software and/or using currently supported Network as a Service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
• Safeguard 18.1: Establish and maintain a penetration testing program: Establish and maintain a penetration testing program appropriate to the size, complexity and maturity of the business. Penetration testing program characteristics include scope, such as network, web application, application programming interface (API), hosted services, and physical premises controls; frequency; limitations, such as acceptable hours and excluded types of attacks; contact details; corrective actions, such as how results will be communicated internally; and retrospective requirements.
• Safeguard 18.2: Perform periodic external penetration testing: Perform periodic external penetration testing based on program requirements, at least annually. External penetration testing should include reconnaissance of the business and environment to detect actionable information. Penetration testing requires specialist skills and experience and should be carried out by a qualified party. The test can be carried out in a transparent box or an opaque box.
• Backup 18.3: Remediate Penetration Test Results: Remediate penetration test results based on company policy for scope and priority of remediation.

• Apply the principle of least privilege to all systems and services. Run all software as an unprivileged user (without administrative privileges) to lessen the effects of a successful attack. (M1026: Management of privileged accounts)
• Backup 4.7: Manage default accounts on enterprise assets and software: Manage default accounts on enterprise assets and software, such as root, administrator, and other preconfigured vendor accounts. Example implementations may include: disabling default accounts or rendering them unusable.
• Backup 5.5: Establish and maintain an inventory of service accounts: Establish and maintain an inventory of service accounts. The inventory must at a minimum contain the service owner, review date and purpose. Perform service account reviews to verify that all active accounts are authorized, on a recurring schedule at least quarterly or more frequently.

• Vulnerability scanning is used to find potentially exploitable software vulnerabilities for remediation. (M1016: Vulnerability Analysis)
• Backup 16.13: Perform Application Penetration Testing: Perform application penetration testing. For mission-critical applications, authenticated penetration testing is better suited to detecting business logic vulnerabilities than code analysis and automated security testing. Penetration testing relies on the tester’s ability to manually manipulate an application as an authenticated and unauthenticated user.

• Architect sections of the network to isolate critical systems, functions or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain all Internet-accessible services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network segmentation)
• Backup 12.2: Establish and maintain a secure network architecture: Establish and maintain a secure network architecture. A secure network architecture must at a minimum take into account segmentation, least privilege and availability.

• Use features to detect and block conditions that could lead to or indicate the occurrence of a software exploit. (M1050: Exploit Protection)
• Safeguard 10.5: Enable Anti-Exploit Features: Enable anti-exploit features on company assets and software, where possible, such as Microsoft Data Execution Prevention (DEP), Windows Defender Exploit Guard (WDEG), or Apple System Integrity Protection (SIP) and Gatekeeper™.