Cisco Unified Communications Manager deployments running with the WebDialer service enabled are under active attack today, June 24, 2026, as threat intelligence firm Defused confirmed that automated Tor-routed sweeps are now installing multi-stage command-execution webshells on vulnerable systems — a significant escalation from the reconnaissance probes first observed over the weekend of June 21–22. The Cisco Unified CM vulnerability, tracked as CVE-2026-20230, has been patchable since June 3, but any organization that was compromised before applying that patch faces a problem the patch itself cannot solve: webshells persist on infected systems even after the underlying flaw is closed.

What Is CVE-2026-20230 and Who Is Affected?

CVE-2026-20230 is a server-side request forgery vulnerability in Cisco Unified CM and Unified CM Session Management Edition, rooted in the WebDialer service — a browser-based click-to-dial component that lets users initiate calls from a web directory or desktop application. The flaw scores 8.6 (High) under the Common Vulnerability Scoring System, but Cisco elevated its Security Impact Rating to Critical because the attack does not end with file writes — it ends with root access. The advisory identifier is cisco-sa-cucm-ssrf-cXPnHcW.

Exploiting CVE-2026-20230 requires no authentication and no user interaction. An attacker needs only network access to a Unified CM system with WebDialer enabled. WebDialer is disabled by default, but it is routinely activated in production enterprise telephony deployments to support click-to-dial functionality, making a substantial portion of the real-world install base exposed.

Affected software includes all Unified CM and Unified CM SME 14.x releases prior to 14SU6 and all 15.x releases prior to 15SU5, which is not scheduled until September 2026. Cisco has made an interim Cisco Options Package (COP) patch available for 15.x in the meantime.

How the WebDialer Exploit Chain Works

The attack chain documented by SSD Secure Disclosure runs three steps and requires no credentials at any stage.

First, the attacker queries a specific URL on the target Unified CM server to retrieve the system's true hostname — a prerequisite for the file-write stage. This information is available without authentication. Second, the attacker crafts an HTTP GET request to the /cmplatform/installClusterStatusExecute endpoint, injecting a malformed hostname value that embeds an Apache Axis Web Service Deployment Descriptor (WSDD) XML payload inside a path traversal sequence. The Unified CM server, running WebDialer inside Cisco Tomcat on port 8443, processes this request without validating the hostname parameter against an allowlist. Because internal loopback services on the Cisco Voice Operating System inherently trust local traffic, the server-side request forgery forces the server to write the XML content as a file to a path the attacker controls — deploying a rogue Apache Axis service.

Third, the attacker sends a second request to the newly deployed Axis service endpoint, passing a JSP code snippet as an argument. The Axis LogHandler writes that snippet to a file under /platform-services/axis2-web/ — the Tomcat web application directory. From that point, any HTTP request to the corresponding URL executes the JSP as server-side code with the privileges of the Tomcat process. Standard Linux privilege-escalation techniques — writing to SSH authorized key files, modifying cron directories, or planting files in web-accessible paths — complete the path to full root access.

This chain is architecturally similar to CVE-2019-0227, a 2019 Apache Axis 1.4 vulnerability that used the same LogHandler file-write mechanism. Cisco's Unified CM embedded the Axis library without input validation controls sufficient to prevent its reuse as a write primitive.

Attacks Escalate from Reconnaissance to Webshell Deployment

Defused first reported exploitation activity over the weekend of June 21–22, when its honeypot infrastructure received file-write attempts using properly formatted file:// payloads targeting /tmp/cve-2026-20230-test.txt — a classic fingerprinting technique used to confirm which hosts are vulnerable before escalating to more destructive activity. That initial activity originated from a single IP address.

By June 24, Defused reported a qualitative change: automated sweeps routing through Tor were actively deploying three-stage webshells. The attack chain observed by Defused uses the WebDialer server-side request forgery to deploy a rogue Apache Axis service, uses that service to write a first-stage JSP file-writer, and then drops a second-stage command-execution shell under /platform-services/axis2-web/. Each stage runs without credentials; once the second-stage shell is installed, the attacker has persistent remote code execution capability on the Unified CM server with no further need for the original vulnerability.

CVE-2026-20230 had not yet been added to the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog as of June 24. That designation is widely expected to follow given the confirmed in-the-wild activity; the previous Unified CM vulnerability exploited in 2026, CVE-2026-20045, was added to the catalog on January 21, 2026. Cisco has not yet updated its advisory to reflect confirmed exploitation, and neither Cisco nor Defused has released indicators of compromise or attributed the activity to a specific threat actor.

Why Enterprise Telephony Infrastructure Is High-Value for Attackers

Cisco Unified CM is the flagship on-premises call control and session management platform for large enterprises. It functions as the central node for voice routing, video, voicemail, presence, and unified messaging — deployed as a virtual machine, commonly on Cisco UCS servers running VMware ESXi. Hospitals, utilities, financial institutions, and government agencies routinely depend on Unified CM for operational communications, including emergency coordination.

A compromised Unified CM node exposes call routing configurations, internal telephony credentials, dial plans, and voicemail data, and provides a foothold for lateral movement into adjacent network segments. For organizations where Unified CM supports emergency or operational communications, a root-level compromise can have consequences that extend well beyond data theft.

SecurityWeek noted that given Unified CM's role in large enterprise infrastructure, CVE-2026-20230 is likely to attract both profit-driven cybercriminals and state-sponsored threat actors. This marks the second Cisco Unified CM vulnerability confirmed as exploited in attacks during 2026, following CVE-2026-20045.

Patching After Compromise: Why Applying the Update Is Not Enough

This is the most consequential point for any organization that was exposed between June 3 — when the patch became available — and June 24. Applying the June 3 patch closes the CVE-2026-20230 entry point. It does not remove a webshell that was installed before the patch was applied.

Webshells are persistent backdoors. A JSP file dropped under /platform-services/axis2-web/ survives both the patch and a server restart. An attacker with an installed webshell can continue to execute commands on the compromised Unified CM server by making HTTP requests to the shell's URL, with no further need for the original vulnerability. The National Security Agency warned in a 2020 joint advisory that webshell malware is a long-standing, pervasive threat specifically designed to evade many security tools and to provide persistent access to compromised networks even after the initial vulnerability is patched.

Organizations that applied the patch after June 21 — but had WebDialer enabled and the management interface reachable from any internal network segment — should treat their Unified CM deployment as potentially compromised and conduct active incident response, not merely confirm the patch version.

What Security Teams Should Do Now

Patch immediately. For Unified CM 14.x, upgrade to 14SU6. For 15.x, apply the interim COP patch now; do not wait for 15SU5 in September. Consult the Cisco security advisory for version-specific patch file names and upgrade instructions.

Disable WebDialer if it is not operationally required. To check WebDialer status: log in to Cisco Unified CM Administration, navigate to Cisco Unified Serviceability from the Navigation menu, open Tools, and select Control Center – Feature Services. In the CTI Services section, a status of "Started" means the deployment is exposed. To disable it, navigate to Tools, select Service Activation, uncheck Cisco WebDialer Web Service in the CTI Services section, and save. This step eliminates the attack surface for CVE-2026-20230 on unpatched systems and is an appropriate emergency mitigation for any organization that cannot patch immediately.

Restrict management interface access. Cisco Unified CM administration and serviceability interfaces should not be reachable from the internet, user VLANs, or guest network segments. Access should be limited to authorized administrative workstations and jump hosts via access control lists.

Hunt for post-exploitation indicators. Review OS-level audit logs for unexpected file creation events, particularly in /tmp/ and under /platform-services/. Search for new JSP files in Tomcat web application directories. Check web server logs for unusual requests to /webdialer/services/ paths and to the axis2-web directory that do not correspond to expected usage. Review for new local user accounts with elevated privileges and unauthorized modifications to cron directories or SSH authorized key files.

Audit for end-of-life software. Any Unified CM deployment running a version for which Cisco no longer provides security patches should be treated as an emergency upgrade priority. CVE-2026-20230 is actively exploited and no mitigation exists for unsupported versions other than upgrading or taking the system offline.

Frequently Asked Questions

How do I know if my Cisco Unified CM deployment is vulnerable to CVE-2026-20230?

Vulnerability requires two conditions: the system must be running Unified CM or Unified CM SME 14.x prior to 14SU6 or 15.x prior to 15SU5, and the WebDialer service must be enabled. To check WebDialer status, log in to Cisco Unified CM Administration, choose Cisco Unified Serviceability from the Navigation menu, open Tools, and navigate to Control Center – Feature Services. In the CTI Services section, a status of "Started" for Cisco WebDialer Web Service means the deployment is vulnerable. A status of "Not Running" means it is not exposed to this specific vulnerability.

If I patched on June 3 but had WebDialer enabled, am I safe now?

If you applied the June 3 patch before any exploitation attempt reached your systems, yes — the vulnerability is closed and no attacker could have used it to install a webshell. However, if your WebDialer-enabled deployment was reachable from any internal network segment between June 21–24 and you have not yet hunted for post-exploitation indicators — unexpected JSP files in /platform-services/axis2-web/, unusual requests in web server logs, new local accounts — you should conduct active incident response. Patching closes the door but does not evict an attacker who may already be inside.

Does disabling WebDialer fully protect an unpatched system?

Disabling the Cisco WebDialer Web Service eliminates the attack surface for CVE-2026-20230 specifically, because the vulnerability can only be triggered when that service is running. Cisco describes this as a valid interim mitigation for organizations that cannot immediately apply the patch. However, it does not fix the underlying input validation flaw in the software, and it should be followed by patching as soon as the update can be deployed. Administrators should verify that disabling WebDialer does not disrupt click-to-dial functionality that business operations depend on before applying this step.

Is this the same Cisco vulnerability that CISA added to its known-exploited list in January 2026?

No. That vulnerability, CVE-2026-20045, was a code injection flaw in Cisco Unified CM and related voice products that was exploited as a zero-day before a patch was available; CISA added it to the Known Exploited Vulnerabilities catalog on January 21, 2026. CVE-2026-20230 is a separate server-side request forgery vulnerability in the WebDialer component, patched June 3, 2026. As of June 24, CVE-2026-20230 has not yet been added to the catalog, though security researchers expect that designation to follow given confirmed active exploitation.