Cisco Unified Communications Manager WebDialer SSRF to File Write and Root Privilege Escalation

Repository contains a single Python PoC exploit and a README describing the attack chain and defensive considerations. The main file, CVE-2026-20230-poc.py, is a standalone command-line exploit that targets Cisco CUCM by chaining unauthenticated web access, hostname discovery from WebDialer WSDL, SSRF through the cmplatform install status endpoint, Axis service abuse, arbitrary file write, and final JSP-based command execution. The exploit is structured as a staged workflow: get_hostname() retrieves the real internal hostname from /webdialer/Version.jws?wsdl; ssrf_create_axis_service() sends a crafted request to /cmplatform/installClusterStatusExecute with a doubly encoded Axis deployment descriptor that creates a service named randomR11 and abuses org.apache.axis.handlers.LogHandler to write aaa.jsp into the Tomcat axis2-web directory; later stages verify the service, write an initial JSP dropper, write a second JSP command shell (c.jsp), and execute an operator-supplied command such as id. The script supports a --check mode, target/port selection, and command selection, indicating practical exploit intent rather than mere detection. The README is extensive and mostly explanatory, covering prerequisites such as WebDialer needing to be enabled, affected product context, attack-chain rationale, detection opportunities, and mitigation guidance. Overall, this is a real operational PoC for unauthenticated SSRF-to-arbitrary-file-write-to-RCE against CUCM, not just a scanner or documentation-only repository.

Small single-script Python repository containing a Cisco Unified CM CVE-2026-20230 scanner and PoC tester. Repository structure is minimal: one executable Python script, a README, dependency file, license, and .gitignore. The main script uses requests, urllib3, argparse, and colorama. Core capabilities: 1) Recon/fingerprinting: scan_target() sends GET requests to several Cisco Unified CM-related paths (/webdialer/Webdialer, /webdialer/Cisco_WebDialer_Service, /ccmadmin/showHome.do, /login.jsp, /cmplatform/, /cucm-uds/) and looks for response markers such as 'cucm', 'unified cm', 'webdialer', and version-like strings '14.'/'15.'. 2) Service detection: check_webdialer() probes likely WebDialer endpoints and flags the service as enabled when HTTP 200/403 responses contain WebDialer-related strings. 3) PoC testing: test_poc() submits a POST request to /webdialer/Webdialer with form fields dest and url set to file:// URIs, attempting to trigger a file-write primitive to an arbitrary path on the target. Success is inferred heuristically from status codes or response keywords. Important limitations: the script itself labels the POST body as a placeholder and explicitly says to replace it with real PoC parameters. Therefore, while it is exploit-oriented and includes an active write-test routine, it is not a complete weaponized exploit and does not contain a verified end-to-end root compromise chain. It is best characterized as an operational scanner/PoC harness rather than a polished exploit framework. No external hardcoded C2 or callback infrastructure is present. All network activity is direct client-to-target HTTP(S) requests. TLS verification is disabled, which helps against self-signed CUCM deployments. The script is interactive by default but supports automated PoC execution with --poc and a custom target file path via --file.