A Cisco Phone-System Bug Went From 'No Known Attacks' to Webshells in Three Weeks

Cisco patched a flaw in its Unified Communications Manager on June 3 and told customers it had no evidence anyone was using it. Three weeks later, honeypots started catching webshells.

The bug is CVE-2026-20230, a server-side request forgery (SSRF) hole in the WebDialer component of Cisco Unified CM and its Session Management Edition (Unified CM SME), the call-processing software that runs a lot of corporate phone systems. Cisco scored it 8.6 and rated it Critical, a notch above what the number alone suggests, because a working exploit ends with root on the box.

What the bug actually does

SSRF means you trick a server into making a request it shouldn't. Here the requests are file:// URIs, which point at the local disk instead of a remote host, so the "request" becomes a file write. Control the path and the contents and you can drop a file wherever the service can reach.

The full chain, as described by threat-intelligence firm Defused and the researchers who found the bug: abuse the WebDialer SSRF to stand up a rogue Apache Axis service, use that to write a first-stage JSP file-writer, then drop a second-stage command shell under /platform-services/axis2-web/. From there it is command execution, and then root.

There is one prerequisite. The attacker needs the target's hostname before the file write works. SSD Secure Disclosure, the team that reported the bug, showed that the hostname is retrievable from the device itself, so it is not much of a speed bump.

The default is on your side

The single most useful fact in the advisory: WebDialer is disabled by default. Cisco spells out how to check. In Cisco Unified Serviceability, open Control Center, Feature Services, and look at the status of "Cisco WebDialer Web Service." If it reads Not Running, this CVE does not apply to you. If it reads Started, you are in the exposed group, and you have been since the patch shipped.

That is the real shape of the risk. This is not every Unified CM box on the internet. It is the subset that switched on WebDialer, a click-to-dial convenience feature, and then did not patch.

What changed this week

Cisco's advisory, still at version 1.0, reads "not aware of any malicious use." That was true on June 3. What it could not account for: SSD published a full technical write-up with a working proof-of-concept on Tuesday, and exploitation turned up almost immediately. Defused said it watched the attacks begin over the weekend, from a single IP address, routed through Tor.

The current activity looks like reconnaissance. The payload Defused observed writes a harmless marker file, /tmp/cve-2026-20230-test.txt, which is how you fingerprint vulnerable boxes at scale before bothering to drop a real shell. That is the quiet phase. Once a public PoC exists, the distance between scanning and owning tends to close quickly.

As of Defused's note, the CVE was not yet listed in CISA's Known Exploited Vulnerabilities catalog. That can change on a day's notice.

What to do

Cisco's fixed releases:

The awkward line is 15.x. The service update that carries the fix, 15SU5, is not scheduled until September. If you are on 15 and cannot wait, Cisco's options are a COP patch file or the one mitigation it actually offers: turn WebDialer off. In Service Activation, uncheck Cisco WebDialer Web Service and save. There are no other workarounds.

If you spent this year feeling unlucky about Unified CM, you were. In January, attackers exploited CVE-2026-20045, a separate code-injection bug in Cisco's enterprise communications products, as a zero-day. Two root-level holes in the phone system in six months is not a good run.

For most shops this is not a five-alarm fire. WebDialer off, and you can file it under someone else's problem. WebDialer on and unpatched since June 3, and you should treat the box as reachable and go looking for files you did not put there, starting under /platform-services/axis2-web/.