Cisco Unified CM Under Fire Again: The WebDialer Root Flaw

4 min. read

Cisco just dropped a critical advisory for Unified Communications Manager, and you need to check your voice servers immediately because a working proof-of-concept exploit is already circulating online. The flaw allows an unauthenticated attacker on your network to drop arbitrary files onto the underlying operating system and smoothly climb straight to full root privileges.

The bug is tracked as CVE-2026-20230. It is a classic Server-Side Request Forgery vulnerability where the system fails to properly validate incoming HTTP requests. By sending a carefully crafted packet, an outsider can force the server to write malicious files to local directories. Cisco PSIRT initially gave the flaw an 8.6 CVSS score because the base metrics technically only calculate the initial file write. However, Cisco bumped the actual advisory rating to Critical because anyone who successfully drops those files can easily execute them to gain complete control over the box.

There is one saving grace for overworked sysadmins. The flaw only works if you have the WebDialer feature running, which is thankfully turned off by default. If your clients use third-party integrations or CRM screen-pops that rely on WebDialer, you are completely exposed. To verify your status, log into Cisco Unified Serviceability, navigate to Tools, click Control Center, and look at your Feature Services. If the Cisco WebDialer Web Service in the CTI section says "Started," your runway just got incredibly short.

Getting the fix deployed is going to be a headache depending on what version you run. If you are on the older 14 train, you can install the 14SU6 update to patch the holes. If you are on the current version 15 train, Cisco is not releasing the full Service Update 5 until September 2026. That means you are stuck installing an interim COP patch manually, or you have to turn the WebDialer service off entirely under Service Activation until the vendor releases the final build.

This is just the latest entry in a long line of unauthenticated root exploits hitting Cisco voice platforms. Last summer, we had to deal with a hard-coded root SSH password left behind by developers. Back in January, an unauthenticated remote code execution bug was actively exploited in the wild, forcing CISA to add it to their known exploited vulnerabilities catalog. This new flaw follows the exact same frustrating pattern of Cisco servers implicitly trusting requests that should have been dropped at the perimeter.

Given that the exploit code is public and the official version 15 patch is months away, threat actors will weaponize this quickly. If you cannot install the interim patch immediately, turn WebDialer off today.

If you want to see more guides, automation scripts, and technical deep dives just like this, make sure to follow us on Twitter, check out the Facebook page, and sign up for the weekly 404 & More newsletter!