Cisco Phone System Flaw Now Being Actively Exploited — Patch Immediately
A security hole in Cisco's business phone software is being used in real attacks. Millions of offices run this software. The fix has existed since June.

Key points
- Cisco confirmed on Wednesday that attackers are actively exploiting CVE-2025-20230, a flaw in its Unified Communications Manager software used by businesses to run phone and video systems.
- The flaw carries a severity score of 8.6 out of 10 and can give an attacker full administrative — "root" — control over the targeted machine.
- Only systems with the WebDialer service switched on are vulnerable; that service is off by default.
- Cisco released a fix in early June 2025 in software version 14SU6, with a second update due in version 15SU5 in September 2025.
- Security research firm SSD Secure Disclosure published a working proof-of-concept — a ready-made attack tool — before Cisco confirmed the exploitation.
Cisco's Unified Communications Manager, often called Unified CM, is the software that businesses use to manage their office phone calls, video meetings, and voicemail. Tens of thousands of organisations worldwide run it. Last week, Cisco told SecurityWeek it had seen no malicious use of a known flaw in that software. On Wednesday, it changed its answer.
The vulnerability, tracked as CVE-2025-20230, works through something called a server-side request forgery — where an attacker tricks the server into making web requests on their behalf, like a fraudster persuading a bank teller to hand over a file. That lets the attacker drop unauthorised files onto the machine. From there, they can climb to root access, meaning they own the entire system.
The failure mode here is a familiar one: a PoC — a proof-of-concept exploit, essentially a published recipe for the attack — landed publicly before customer patching had time to catch up.
How did the attackers get in?
Exploit intelligence firm Defused spotted the first real-world attacks coming from a single source, using that published PoC tool. SSD Secure Disclosure, the security research group credited with finding the flaw, had posted full technical details and the working attack code shortly before. Once that information is public, criminals with modest technical skill can use it.
To pull this off, the targeted Cisco system must have had the WebDialer service — a feature that lets browser-based applications dial phone calls — switched on. Cisco ships the product with WebDialer disabled. Any organisation that turned it on without a business need handed attackers an open door.
For ordinary employees, the immediate risk is disruption. An attacker with root access to a phone system can intercept calls, redirect voicemail, or use the server as a foothold to reach other internal systems. In a hospital, that could affect patient care coordination. In a financial firm, it touches trading desks.
One thing the post-mortem will say: we knew about this in June and hadn't patched.
Cisco is urging customers to upgrade to version 14SU6 now and not wait for 15SU5. If WebDialer is not specifically needed, disable it — that closes the exposure entirely regardless of patch status.
In practice, the gap between "patch released" and "patch applied" is where nearly every exploited vulnerability lives.
Operational takeaway: Check whether WebDialer is enabled on your Unified CM deployment today — if it isn't needed, turn it off before you even think about the patch schedule.



