Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-20230

Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-918 Falsificación de solicitud en servidor (SSRF)
Fecha de publicación:
03/06/2026
Última modificación:
01/07/2026

Descripción

*** Pendiente de traducción *** A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device.<br /> <br /> This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root.<br /> Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root.<br /> Note: To exploit this vulnerability, the WebDialer service must be enabled. WebDialer is disabled by default.

Productos y versiones vulnerables

CPE Desde Hasta
cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:-:*:*:* 14.0 (incluyendo) 14su6 (excluyendo)
cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:session_management:*:*:* 14.0 (incluyendo) 14su6 (excluyendo)
cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:-:*:*:* 15.0 (incluyendo) 15su4a (incluyendo)
cpe:2.3:a:cisco:unified_communications_manager:*:*:*:*:session_management:*:*:* 15.0 (incluyendo) 15su4a (incluyendo)