Cisco Unified CM flaw now exploited to gain root on phone systems
A flaw in Cisco Unified Communications Manager, the system that runs enterprise phone and call infrastructure, is now being exploited in attacks. The bug (CVE-2026-20230) is a server-side request forgery that lets an unauthenticated attacker send a crafted HTTP request to write files onto the underlying system, which can then be used to escalate to root and fully take over the server. Cisco patched it on June 3 and rates it critical; public exploit code has been available since, and security firms now see active exploitation attempts. The flaw is only exploitable when the WebDialer service is enabled, which is not the default.
- Check
- Check whether your Cisco Unified CM or Session Management Edition deployments have the WebDialer service enabled and confirm the software version, then review system logs for unexpected file writes or webshells.
- Affected
- Cisco Unified CM and Unified CM SME with the WebDialer service enabled (CVE-2026-20230); version 14 before 14SU6 and version 15 before 15SU5, especially with management interfaces reachable by attackers.
- Fix
- Patch to Cisco Unified CM 14SU6 or apply the version 15 interim fix, or disable the WebDialer service if it is not needed, and restrict management interfaces to trusted networks.