Cisco admits hackers are breaking into its phone system software — here's what that means
A flaw in Cisco Unified Communications Manager, the software that runs office phone systems, is now being actively abused after a patch and public exploit code lit the fuse.

Key points
- Cisco confirmed on Wednesday that hackers are actively exploiting a flaw, tracked as CVE-2026-20230, in its Unified Communications Manager phone-system software.
- The bug was patched on 3 June 2026, but working attack code was published publicly within weeks.
- Threat intelligence firm Defused first spotted real-world attacks on 22 June 2026, with hackers using the flaw to write files onto target servers.
- Watchdog group Shadowserver is tracking more than 200 vulnerable Cisco Unified CM systems still exposed on the public internet, mostly in Asia and North America.
- Cisco tells customers to install version 14SU6 or 15SU5, or to switch off the vulnerable WebDialer service in the meantime.
Cisco has finally said out loud what defenders suspected for weeks: attackers are breaking into its office phone software in the wild.
The product is called Cisco Unified Communications Manager, or Unified CM. Think of it as the brain behind a large company's phone system — it decides how calls are routed, which desk phones ring, and which features each user gets. It used to be called CallManager, and it sits at the centre of Cisco's internet-based telephony.
The flaw carries the ID CVE-2026-20230. In plain English, it lets an attacker on the internet — with no username or password — trick the server into making requests on their behalf. Security people call this a server-side request forgery, or SSRF: the server is fooled into fetching or writing things the attacker chooses. It is essentially the phone-system equivalent of handing a stranger your office intercom and letting them dial any extension they want.
How did this go from patched to actively abused?
Quickly, and pretty predictably. Cisco shipped fixes on 3 June 2026 and admitted that proof-of-concept code — a working demo of the attack — was already floating around online. At that point the company said it had no evidence of real attacks.
Three weeks later, that changed. On 22 June, threat intelligence firm Defused spotted attackers using carefully built file:// payloads to create files on vulnerable servers. A day after that, researchers at SSD Secure published a full write-up with their own working exploit. BleepingComputer, which first reported the confirmation, says it asked Cisco about active abuse at the time and got no answer.
Now Cisco has updated its advisory. Its Product Security Incident Response Team says it "became aware of active exploitation of this vulnerability" in June 2026 and is telling customers to patch immediately.
What should organisations running Cisco phones do?
Install the fix. Cisco says the safe versions are Unified CM 14SU6 and 15SU5, either shipped in September 2026 or delivered as a COP file, which is Cisco's format for smaller patch bundles.
Can't patch this week? Cisco's workaround is to disable the WebDialer service, the specific component the attackers are hitting. That takes away the door without touching the rest of the phone system.
Should ordinary customers and employees worry?
Not directly, but the knock-on effects are real. A phone system is a soft target that touches everything: voicemail, call recordings, internal directories, sometimes even door intercoms. Once attackers have a foothold on that server, they are already inside the network.
If your employer runs Cisco phones and you suddenly get calls or voicemails that look off — spoofed internal extensions, odd requests for passwords, unusual redirects — treat them the way you'd treat a suspicious email. Verify through a second channel.
Cisco has form here. It patched two other Unified CM flaws in the last two years that handed attackers full control of the server, and a separate one, CVE-2026-20045, was used as a zero-day, meaning attackers found it before Cisco did. The U.S. Cybersecurity and Infrastructure Security Agency has flagged 93 Cisco bugs as actively exploited since November 2021. Six of those turned up in ransomware attacks, where criminals lock a victim's files and demand payment.
The pattern is familiar. Patch drops, exploit code appears, a couple of weeks pass, attacks begin. The organisations that lose are the ones still counting the days.



