Cisco Unified CM Under Attack: What CVE-2026-20230 Means for Your Phone System

A patch released three weeks ago has turned into a live incident. CVE-2026-20230, a flaw in Cisco Unified Communications Manager, is now being exploited in the wild, and an attacker who pulls it off lands with root on the server running an organisation's phone system. Cisco shipped the fix on 3 June. The attacks started over the weekend of 21 to 22 June.

What Happened

CVE-2026-20230 is a server-side request forgery weakness in Cisco Unified Communications Manager and its Session Management Edition, rated 8.6 on the CVSS scale. The bug sits in the WebDialer component, which mishandles user-supplied URLs. By sending a crafted HTTP request with a file:// URI, an unauthenticated attacker can write arbitrary files to the underlying operating system and, from there, escalate to root and run code of their choosing. Cisco credited SSD Secure with the disclosure, and once exploitation began the researchers published a full write-up and proof-of-concept. Threat intelligence firm Defused first reported the activity, noting it came from a single IP address and used properly formed file:// payloads to drop a marker file on vulnerable hosts.

Why It Matters

Unified CM is the brain of corporate telephony for thousands of Australian organisations, from local councils and hospitals to mid-market firms still running voice on-premises. Root on that box is not a minor foothold. It gives an attacker a trusted position inside the network, call records and configuration to mine, and a staging point for lateral movement. WebDialer is disabled by default, which narrows the blast radius, but plenty of deployments switch it on for click-to-dial, and those are the systems being swept right now.

What Security Teams Should Do Now

• Apply Cisco's 3 June updates for Unified CM and Unified CM SME without waiting for CISA to add the CVE to its Known Exploited Vulnerabilities catalogue.

• Check whether the WebDialer service is enabled. If your organisation does not rely on click-to-dial, disable it and reduce the exposed surface.

• Keep Unified CM management and web interfaces off the public internet, behind segmentation and access controls.

• Hunt for indicators of compromise: the marker file /tmp/cve-2026-20230-test.txt, unexpected files written under the application, and any webshells or new processes running as root.

• Review HTTP and application logs for crafted requests to the WebDialer endpoint, particularly from single or Tor-exit source addresses.

• Treat any host that was exposed and unpatched as potentially compromised, and plan to rebuild rather than assume a patch alone evicts an intruder.

Aurian's Take

This is a familiar pattern, and the timeline is the lesson. A vendor patches quietly, technical detail trickles out, a proof-of-concept appears, and within weeks opportunistic scanning turns into real exploitation. Communications infrastructure rarely tops the patching queue because it is not where the obvious crown jewels sit, yet it runs with deep privileges and broad network reach. Attackers have worked this out. The gap between a fix being available and a fix being applied is exactly where they operate, and three weeks was enough this time.

Regular penetration testing and security assessment exist to close that gap before someone else finds it. A good engagement does not stop at the perimeter firewall; it looks at the systems organisations forget they are running, including voice platforms, management interfaces and the services quietly left enabled. At Aurian we see the same overlooked assets again and again, and they are often the fastest route to root. Testing on a schedule, rather than after an incident, is how an organisation learns which doors are open while there is still time to shut them.

CVE-2026-20230 is a reminder that the systems running your business are only as safe as the last time someone checked them. To find out how Aurian can help your organisation assess its exposure, get in touch at https://www.aurian.com.au/contact.