Back to News

CVE-2026-20230: Cisco Unified CM Actively Exploited — 30 June 2026: The 10-Step VoIP Security Action Plan Every UK SME Must Run This Week

CVE-2026-20230: Cisco Unified CM Actively Exploited — 30 June 2026: The 10-Step VoIP Security Action Plan Every UK SME Must Run This Week

On 30 June 2026, every UK organisation running an on-premise Cisco Unified Communications Manager — the enterprise telephony backbone known across the industry as Unified CM or CallManager — is sitting three weeks behind a critical security fix that attackers are now actively exploiting. The vulnerability is tracked as CVE-2026-20230, a CVSS 8.6 server-side request forgery (SSRF) flaw in the Unified CM WebDialer service that lets an unauthenticated, remote attacker write arbitrary files to the underlying operating system and escalate to root. Cisco shipped the patch on 3 June 2026. Active exploitation in the wild was first confirmed on 24 June 2026 through Tor-routed honeypot hits. The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalogue on 25 June 2026 with a three-day remediation deadline for federal agencies that expired on 28 June 2026.

For UK SMEs, the maths is uncomfortable. If your phone system runs on a Cisco Unified CM appliance with the WebDialer service enabled — and WebDialer is enabled on a large share of deployments because it powers the click-to-call functionality that integrates handsets with CRM systems — then your call platform has been remotely exploitable for three weeks, and confirmed attacks against that exact vulnerability have been running since 24 June. This is the second Cisco Unified CM CVE to be actively exploited in 2026, after CVE-2026-20045, a code-injection flaw exploited in zero-day attacks earlier in the year. This article decodes precisely what the flaw is, how the attack chain works, why it lands hardest on UK businesses still running legacy on-premise telephony, and the 10-step VoIP security action plan every UK SME must run this week.

8.6
CVSS score — Critical (CVE-2026-20230)
3 Jun
Cisco patch released (2026) — you are weeks overdue
24 Jun
Active exploitation first observed (2026)
25 Jun
Added to CISA KEV catalogue (2026)

What CVE-2026-20230 Actually Is

Cisco Unified Communications Manager is the call-control platform that sits at the heart of enterprise IP telephony. It registers handsets and softphones, routes calls, runs auto-attendants and hunt groups, manages call queues, and provides the integration layer that connects telephony to business applications. Versions of it are deployed across UK mid-market businesses, NHS trusts, financial services firms and professional services practices — anywhere that invested in an on-premise Cisco voice estate over the last decade. It is precisely the kind of infrastructure that gets installed, configured, and then largely left alone until something breaks.

CVE-2026-20230 is a server-side request forgery vulnerability in the Unified CM WebDialer service. SSRF is a class of flaw where an attacker tricks a server into making requests on the attacker’s behalf — reaching internal services, or, in the more dangerous cases, manipulating the server into performing actions that were never intended. In this instance, the WebDialer SSRF can be chained into arbitrary file write on the host operating system, and from there to remote code execution running as root. Because the WebDialer interface is reachable without authentication, an attacker does not need credentials, a foothold, or any prior access. They need only network reachability to the WebDialer endpoint and an unpatched appliance.

The critical conditional is the WebDialer service itself. WebDialer is disabled by default in a clean Unified CM installation, which means a meaningful number of deployments are not exposed. But WebDialer is the service that delivers click-to-call — the feature that lets a user click a phone number in their CRM, helpdesk tool or directory and have their desk phone or softphone place the call automatically. That is a genuinely useful productivity feature, and as a result WebDialer is commonly enabled in real-world deployments. The result is a large population of Unified CM systems where the vulnerable service is active, internet-adjacent or internet-facing, and unpatched. Cisco addressed the flaw in Unified CM 14SU6 and 15SU5; any version below those release trains with WebDialer enabled is exposed.

Why this is an emergency, not a maintenance item

This is not a theoretical CVE waiting for a proof-of-concept. A public proof-of-concept exploit has been available since 23 June 2026, automated exploitation via Tor was observed in honeypots from 24 June 2026, and CISA escalated it to the KEV catalogue on 25 June with a three-day federal deadline that has already passed. The attack requires no authentication and grants root. A compromised call-control server is not merely a downtime risk: it can be used to intercept or reroute calls, harvest call-detail records and voicemail, pivot deeper into the corporate network, and stage further attacks. If your Unified CM appliance has WebDialer enabled and the June patch is not applied, you should treat it as a live incident, not a patch on next month’s change board.

The Timeline: From Patch to Active Exploitation

Earlier in 2026 — CVE-2026-20045 exploited as a zero-day
A separate code-injection flaw in Cisco enterprise communications was exploited in zero-day attacks earlier in 2026. CVE-2026-20230 is the second Cisco Unified CM vulnerability to be actively exploited this year — a pattern that should concern any business relying on an ageing on-premise voice platform.
3 June 2026 — Cisco releases the patch
Cisco published the security advisory and fixed releases for CVE-2026-20230. The patched versions are Unified CM 14SU6 and 15SU5. From this date, the existence of the vulnerability was public knowledge and the clock started for every organisation running an unpatched appliance.
23 June 2026 — Public proof-of-concept appears
A working proof-of-concept exploit for the WebDialer SSRF became publicly available, dramatically lowering the barrier to exploitation. Once a PoC is public, the time between disclosure and mass automated scanning typically collapses to hours.
24 June 2026 — Active exploitation confirmed in the wild
Security researchers operating honeypot infrastructure observed automated exploitation attempts arriving over the Tor network. The attacks attempt to drop webshells via the WebDialer SSRF chain, indicating opportunistic, internet-wide sweeping rather than targeted intrusion — meaning any exposed appliance is in scope, regardless of the organisation’s size or profile.
25 June 2026 — CISA adds CVE-2026-20230 to the KEV catalogue
CISA listed the vulnerability in its Known Exploited Vulnerabilities catalogue, the authoritative US register of flaws confirmed to be under active attack. KEV listing is reserved for vulnerabilities with reliable evidence of exploitation and triggers mandatory remediation timelines for US federal civilian agencies.
28 June 2026 — US federal remediation deadline expires
The three-day deadline CISA set for US federal agencies to patch or disconnect affected systems passed. While UK businesses are not bound by CISA’s deadlines, the three-day window is a clear signal of how seriously the highest-authority cyber agencies regard this flaw.
30 June 2026 — Today’s position for UK SMEs
Any UK organisation running Unified CM with WebDialer enabled and without the 14SU6 or 15SU5 update is now 27 days behind the patch and six days into a confirmed active-exploitation campaign. The immediate task is to determine exposure, patch or mitigate, and check for compromise — then to make the strategic decision about whether on-premise telephony still belongs in the business at all.

How the Attack Chain Works

Understanding the attack chain matters because it explains why patching alone is not the end of the response — if an appliance was exposed during the active-exploitation window, it may already have been compromised, and a webshell will survive a patch. The exploitation observed in the wild follows a defined multi-stage sequence, and each stage tells you something about what to look for.

The chain begins with the WebDialer SSRF being abused to reach a rogue Apache Axis service that the attacker stands up as part of the exploit. From there, a JSP first-stage payload acts as a file-writer, planting a second-stage component on disk. That second stage is a command-execution shell, deployed under the /platform-services/axis2-web/ path on the appliance. Once the command shell is in place, the attacker has interactive, root-level control of the call-control server. The entire sequence is automatable, which is exactly what the Tor-routed honeypot hits demonstrate: this is being run as an internet-wide sweep, not hand-crafted against named targets.

The practical consequence is twofold. First, any business with an exposed appliance should assume scanning has reached it, because indiscriminate automated sweeping does not skip small organisations. Second, applying the patch removes the vulnerability but does not remove a webshell that an attacker placed before the patch was applied. The presence of unexpected files under the Axis2 web path, anomalous outbound connections, or unexplained processes running as root are all indicators that warrant a compromise assessment, not just a patch and a tick in the box.

Authentication required to exploit
None
Privilege gained on success
Root
CVSS base score severity
8.6 / Critical
Days from patch to public PoC
20 days
Days from PoC to active exploitation
1 day
CISA federal remediation window
3 days
WebDialer prevalence (enabled for click-to-call)
Common in real deployments

The bar chart makes the risk profile plain. A flaw that requires no authentication, grants root, and went from public proof-of-concept to confirmed active exploitation in a single day is about as serious as a remotely exploitable vulnerability gets. The one variable that determines whether a given organisation is exposed is whether WebDialer is enabled — and because that service underpins a popular productivity feature, a large share of real-world deployments have it switched on.

How Much of the Window Has Already Closed

90%
Roughly 90% of the time an attacker needs has elapsed: 27 days since the patch, with confirmed exploitation running for six of the last days before this article’s date

The point of the figure above is not statistical precision — it is to frame the urgency in terms a business decision-maker recognises. From the moment Cisco published the fix on 3 June, the disclosure timer started. By the time a public proof-of-concept landed on 23 June and automated exploitation followed on 24 June, the defensive window for unpatched organisations had effectively closed. For a business reading this on 30 June, the question is no longer “how long do we have to patch” but “were we exposed during the window, and do we need to check for compromise as well as patch.” That shift — from prevention to containment and verification — is the defining characteristic of responding to an actively exploited vulnerability rather than a routine one.

The VoIP Security Scorecard for UK SMEs

Where on-premise Unified CM estates typically stand today
WebDialer service status known and documented Low — many operators cannot say without checking
Unified CM on a supported release train (14SU6 / 15SU5) Mid — depends on last upgrade cycle
Call-control management interface restricted from the internet Mid — often partially exposed via remote access
Documented patch cycle for telephony infrastructure Low — voice systems are frequently “set and forget”
Logging and monitoring on the voice platform Low — rarely fed into central monitoring
Compromise-assessment capability for the appliance Low — few SMEs can inspect the host OS
PSTN switch-off migration already underway Mid — January 2027 deadline focusing minds
Telephony covered by a managed patch-and-support contract Low for self-managed on-premise estates

The scorecard captures the structural weakness that CVE-2026-20230 exposes. On-premise telephony tends to be treated as plumbing: installed once, expected to run for years, and rarely brought into the same patch, logging and monitoring discipline applied to servers and endpoints. That is exactly the environment in which a critical, unauthenticated, root-granting flaw can sit unpatched for weeks. The businesses that are well-positioned are those that either keep their voice infrastructure under a managed support contract with a defined patch cadence, or have already moved to cloud-hosted telephony where patching is the provider’s responsibility, not the customer’s.

The Cost and Exposure by Business Size

Business size Typical telephony setup CVE-2026-20230 exposure Realistic impact of compromise
Micro (1–9 employees) Usually already on hosted VoIP or mobile-first Low — rarely runs on-premise Unified CM Limited direct exposure; check any inherited legacy kit
Small (10–49 employees) Mix of hosted VoIP and ageing on-premise PBX Medium — some legacy Cisco voice estates remain Call interception, network pivot, downtime to core comms
Medium (50–249 employees) Frequently on-premise Unified CM with CRM integration High — WebDialer commonly enabled for click-to-call Root on a core server, lateral movement, data and call-record theft
Mid-market / regulated (250+) Established Unified CM clusters; NHS, finance, professional services High — large attack surface, complex change control Regulatory exposure, supply-chain risk, significant incident cost
Any size on legacy ISDN/analogue Approaching the PSTN switch-off cliff edge Variable — but migration is mandatory by January 2027 Forced migration under time pressure rather than on your terms

The table reflects a pattern Cloudswitched sees repeatedly across the UK mid-market: the organisations most exposed to CVE-2026-20230 are precisely those that invested in a serious on-premise Cisco voice platform years ago, enabled click-to-call because it was useful, and have not revisited the patch posture of that platform since. These are not careless businesses — they are businesses for whom telephony became invisible infrastructure. The DSIT Cyber Security Breaches Survey 2025/2026, published on 30 April 2026, found that 43 per cent of UK businesses identified a cyber breach or attack in the last 12 months, against an estimated 5.19 million cyber crimes against UK businesses annually. Voice infrastructure is part of that attack surface, and it is one of the least frequently audited parts of it.

On-Premise Unified CM vs Cloud-Hosted Telephony

On-premise Unified CM

What an exposed SME operates today

  • Patching is the customer’s responsibility — and frequently slips
  • A critical CVE means an emergency change window for your team
  • WebDialer and other services exposed depending on local config
  • Host OS rarely monitored or fed into central logging
  • Compromise assessment requires specialist appliance access
  • Hardware ages; refresh and support costs recur
  • Still tied to legacy lines facing the January 2027 PSTN switch-off
  • Security depends entirely on local discipline and time

Cloud-hosted telephony

Where Cloudswitched takes you

  • Patch cadence is the platform provider’s problem, not yours
  • Critical fixes are applied centrally without a customer change window
  • No customer-exposed call-control appliance to scan and exploit
  • Platform monitoring and fraud protection built in
  • 99.99% platform uptime via the Fidelity Group Horizon platform
  • No on-premise hardware to age, refresh or maintain
  • PSTN switch-off ready — already IP-based by design
  • Click-to-call and CRM integration delivered safely in the cloud

The comparison is not an argument that on-premise telephony is inherently insecure — a well-managed Unified CM cluster under a disciplined patch regime is a perfectly defensible choice. The argument is narrower and more practical: CVE-2026-20230 is a concrete demonstration that owning the call-control appliance means owning the patch responsibility, the monitoring responsibility, and the compromise-assessment responsibility. For an SME without a dedicated voice-engineering function, those responsibilities are exactly the ones that fall through the cracks. Cloud-hosted telephony does not make security someone else’s problem in the abstract; it specifically moves the appliance-patching burden — the burden that left thousands of systems exposed for 27 days — off the customer entirely.

The 10-Step VoIP Security Action Plan — Run This Week

Step 1 — Confirm whether you run Cisco Unified CM at all, and on which release train
Today
Step 2 — Check the WebDialer service status (Serviceability > Control Center > Feature Services > CTI)
Today
Step 3 — If WebDialer is enabled and the system is unpatched, treat it as live exposure
Today
Step 4 — Apply the Cisco patch: upgrade to Unified CM 14SU6 or 15SU5
This week
Step 5 — If you cannot patch immediately, disable WebDialer where click-to-call is not essential
This week
Step 6 — Restrict management and WebDialer interfaces from the public internet; place behind firewall/VPN
This week
Step 7 — Hunt for compromise: inspect /platform-services/axis2-web/ for unexpected files and rogue processes
This week
Step 8 — Bring telephony into your patch, logging and monitoring regime alongside servers and endpoints
Weeks 2–4
Step 9 — Assess whether on-premise telephony still earns its place, or whether to move to hosted VoIP / Teams Voice
Weeks 4–8
Step 10 — Plan PSTN switch-off migration now — the legacy line cliff edge is January 2027
Before Jan 2027

Steps 1 to 3 are diagnostic and can be completed today by anyone with administrative access to the Unified CM platform. To check the WebDialer status: log in to Cisco Unified CM Administration, switch the Navigation dropdown to Cisco Unified Serviceability, then go to Tools > Control Center — Feature Services, and under the CTI Services section check the status of the Cisco WebDialer Web Service. If it is activated and running and your release is below 14SU6 or 15SU5, you are in the exposed population and Steps 4 to 7 are urgent. Steps 8 to 10 are the strategic response: they move you from firefighting this specific CVE to closing the structural gap that allowed a voice platform to sit unpatched and unmonitored for weeks.

8.6
CVSS severity of CVE-2026-20230 — Critical, unauthenticated, root
The fastest mitigation if you cannot patch today

If you cannot schedule the Unified CM upgrade to 14SU6 or 15SU5 immediately, the single highest-value interim action is to disable the WebDialer service on any system where click-to-call is not business-critical, and to ensure the WebDialer and administrative interfaces are not reachable from the public internet. Because exploitation requires the WebDialer service to be active and reachable, removing either condition closes the immediate attack path while you arrange the patch. This is a mitigation, not a fix — the underlying vulnerability remains until the system is on a patched release — but it buys time safely. Crucially, if the system was internet-reachable during the active-exploitation window since 24 June, also perform Step 7’s compromise check before assuming the mitigation is sufficient: a webshell dropped before you disabled WebDialer will persist regardless.

At-a-Glance: Key Facts on CVE-2026-20230

Topic Key figure or fact Source / context
Vulnerability identifier CVE-2026-20230 Cisco security advisory
CVSS base score 8.6 (Critical) Cisco / NVD
Vulnerability class Server-side request forgery (SSRF) via WebDialer Cisco advisory
Affected product Cisco Unified Communications Manager (Unified CM / Unified CM SME) Cisco advisory
Patched versions Unified CM 14SU6 and 15SU5 Cisco advisory
Authentication required None — unauthenticated, remote Cisco advisory
Privilege gained Root on the underlying OS Attack-chain analysis
Prerequisite for exploitation WebDialer service enabled (off by default, commonly enabled for click-to-call) Cisco advisory
Patch released 3 June 2026 Cisco
Public proof-of-concept 23 June 2026 Security researchers
Active exploitation first observed 24 June 2026 (Tor-routed honeypot hits) Defused Cyber honeypots
Added to CISA KEV catalogue 25 June 2026 CISA
US federal remediation deadline 28 June 2026 CISA KEV
Attack chain WebDialer SSRF → rogue Apache Axis → JSP file-writer → command-execution shell under /platform-services/axis2-web/ Attack-chain analysis
Second Cisco Unified CM CVE exploited in 2026 After CVE-2026-20045 (code injection, zero-day) Cisco / threat reporting
UK businesses breached in last 12 months 43% (DSIT CSBS 2025/2026, published 30 April 2026) DSIT
PSTN switch-off deadline January 2027 — legacy telephony migration mandatory UK telecoms industry

Why This Story Points Straight at Your Telephony Strategy

CVE-2026-20230 is, on its face, a patching story: a critical flaw, a fixed release, and an urgent need to apply it. But for UK SME leaders, the more important lesson is strategic. The organisations exposed to this vulnerability are exposed not because they made a bad decision, but because owning on-premise call-control infrastructure quietly transfers a set of ongoing security responsibilities — patching, hardening, monitoring, compromise assessment — onto a business that often does not have a dedicated voice-engineering team to discharge them. When a critical CVE lands, that gap becomes a 27-day exposure window.

This is the same structural lesson that runs through the wider UK threat landscape in 2026. The decode of the Russia-linked JLR cyberattack and its £2bn cost showed how a single point of infrastructure failure can cascade into national-scale disruption. The analysis of the Scattered Spider TfL breach demonstrated how attackers exploit the gaps between systems and the people managing them. The Five Eyes AI cyber warning made the case that the window between vulnerability disclosure and exploitation is collapsing — a thesis CVE-2026-20230 proves precisely, with one day between public proof-of-concept and active exploitation. The EU’s DMA scrutiny of AWS and Azure and the Veeam 3-2-1-1-0 backup resilience findings both speak to the same underlying question every SME now faces: which infrastructure responsibilities should you own, and which are better discharged by a platform built to carry them?

For telephony specifically, the answer is increasingly clear. The PSTN switch-off in January 2027 means every business still on legacy lines must migrate within roughly 18 months regardless. CVE-2026-20230 is a reminder that the on-premise alternative carries a continuous security cost that is easy to underestimate until a critical flaw forces an emergency response. Moving to cloud-hosted telephony — whether full hosted VoIP, Microsoft Teams Voice, or SIP trunking for businesses that need to keep an existing PBX during transition — resolves both pressures at once: it removes the appliance-patching burden that this CVE exposed, and it puts you on the right side of the PSTN deadline.

Is your phone system a patching liability?

If you are running on-premise Cisco Unified CM, Cloudswitched can help you assess your exposure to CVE-2026-20230 and plan a move to cloud-hosted telephony where patching is the platform’s responsibility, not yours. Hosted VoIP from around £8–£15 per user per month, Microsoft Teams Voice with 2,000 UK landline and mobile minutes included, and SIP trunking to keep your existing PBX — all delivered in partnership with Fidelity Group on a platform with 99.99% uptime, 24/7 support and built-in fraud protection.

Talk to us about VoIP & Phone Systems

Frequently Asked Questions

What is CVE-2026-20230 in plain terms, and should my business be worried?
CVE-2026-20230 is a critical security vulnerability in Cisco Unified Communications Manager, the call-control platform behind many on-premise business phone systems. It is a server-side request forgery flaw in the WebDialer service that lets an attacker on the internet — with no username, password or prior access — write files to the server and take control of it as root. It scored 8.6 out of 10 on the CVSS severity scale. You should be worried if, and only if, you run Cisco Unified CM with the WebDialer service enabled and you have not applied the June 2026 patch. WebDialer powers click-to-call, so it is enabled on a large share of real-world deployments. If you do not run Unified CM at all — for example, if you are already on hosted VoIP or Microsoft Teams Voice — this specific vulnerability does not affect you.
How do I check whether the WebDialer service is enabled on our system?
Log in to Cisco Unified CM Administration, then use the Navigation dropdown in the top-right to switch to Cisco Unified Serviceability. From there, go to Tools > Control Center — Feature Services. Under the CTI Services section, look for the Cisco WebDialer Web Service and check its status. If it shows as activated and running, the service is enabled. Combine that with checking your Unified CM version: if you are on a release below 14SU6 or 15SU5 and WebDialer is running, you are in the exposed population and should patch or mitigate as a priority. If you are unsure how to interpret what you find, your IT support provider or a managed telephony partner can perform this check quickly.
We patched to 14SU6 already. Are we definitely safe now?
Applying the patch closes the vulnerability, so new exploitation attempts against CVE-2026-20230 will fail. However, patching does not undo a compromise that happened before you patched. Active exploitation was confirmed from 24 June 2026, and the patch had been available since 3 June. If your system was internet-reachable with WebDialer enabled at any point in that window, an attacker could have placed a webshell that survives the patch. You should therefore also perform a compromise assessment: inspect the appliance for unexpected files under the /platform-services/axis2-web/ path, look for unexplained processes running as root, and review logs and outbound connections for anomalies. If you find evidence of compromise, treat it as a security incident and engage incident-response support rather than relying on the patch alone.
We can’t schedule a Unified CM upgrade this week. What can we do right now?
The fastest safe interim mitigation is to remove one of the two conditions the exploit needs: the WebDialer service being active, and the interface being reachable. If click-to-call is not business-critical, disable the Cisco WebDialer Web Service. Independently, ensure the WebDialer and administrative interfaces are not exposed to the public internet — place them behind a firewall and require VPN access for management. Either action closes the immediate attack path while you arrange the upgrade. This is a mitigation, not a cure: the underlying flaw remains until you reach a patched release (14SU6 or 15SU5), so still plan the upgrade. And if the system was exposed during the active-exploitation window since 24 June, perform the compromise check as well, because disabling the service now does not remove a webshell dropped earlier.
Why does an attacker want to compromise a phone system specifically?
A call-control server is a high-value target for several reasons. First, root on any internet-reachable server provides a foothold from which to pivot deeper into the corporate network — the phone system sits inside your perimeter and is trusted by other systems. Second, a compromised telephony platform can be abused for toll fraud, routing expensive premium-rate or international calls at the victim’s expense, which can run up large bills quickly. Third, it gives access to sensitive data: call-detail records, voicemail, directory information and the integration links to CRM systems. Fourth, disrupting an organisation’s telephony is itself damaging — for many businesses, losing the phones means losing the ability to operate. The unauthenticated, root-level nature of CVE-2026-20230 makes it an unusually attractive target for automated, opportunistic attackers.
This is the second Cisco Unified CM flaw exploited in 2026. Is on-premise telephony just inherently risky?
It is not that on-premise telephony is inherently insecure — a well-managed Unified CM cluster under a disciplined patch regime can be perfectly defensible. The recurring issue is operational: voice infrastructure is frequently treated as “set and forget” plumbing, installed once and rarely brought into the same patching, logging and monitoring discipline applied to servers and endpoints. When two critical CVEs land in a single year — CVE-2026-20045 earlier in 2026 and now CVE-2026-20230 — the businesses that suffer are the ones without a defined patch cadence for their phone platform. The strategic question this raises is whether your business is equipped to carry the ongoing security responsibility of owning the appliance, or whether that responsibility is better discharged by a cloud telephony provider whose core job is keeping the platform patched.
If we move to cloud-hosted VoIP, does this kind of vulnerability go away?
Moving to cloud-hosted telephony does not make security irrelevant, but it specifically removes the burden that left systems exposed to CVE-2026-20230: customer-side appliance patching. With hosted VoIP or Microsoft Teams Voice, there is no on-premise call-control server for you to patch, harden and monitor — the platform provider applies critical fixes centrally, usually without any change window or action on your part. You no longer have a customer-exposed WebDialer interface for an attacker to scan and exploit. You still have responsibilities — strong account security, sensible call-permission policies, and protecting the endpoints and identities that access the service — but the specific failure mode of an unpatched, internet-reachable appliance simply does not exist in the same way. Cloudswitched delivers hosted VoIP and Teams Voice on the Fidelity Group platform with built-in fraud protection and 99.99% uptime.
How does the January 2027 PSTN switch-off connect to this?
The two pressures reinforce each other. The PSTN switch-off in January 2027 means every UK business still using traditional analogue or ISDN telephony must migrate to an IP-based system within roughly 18 months — this is a hard industry deadline, not optional. CVE-2026-20230 adds a security dimension: if you are going to have to modernise your telephony anyway before January 2027, doing so by moving to cloud-hosted VoIP or Teams Voice also resolves the appliance-patching liability this vulnerability exposed. Rather than running an emergency patch cycle on legacy on-premise kit now, then migrating off it within the year regardless, many businesses will find it more sensible to bring the migration forward and solve both problems with one project. Planning that migration now, on your own terms, is far preferable to being forced into it at the last minute.
We use a managed IT provider. Should they have handled this patch already?
It depends entirely on what your contract covers. A managed IT support contract that explicitly includes your telephony infrastructure — with a defined patch cadence for the Unified CM platform — should have flagged and actioned this within days of the 3 June patch release, and certainly once it hit the CISA KEV catalogue on 25 June. However, many SMEs have IT support for their servers and endpoints but treat the phone system as a separate domain managed by a telecoms supplier or not actively managed at all. If you are unsure whether your voice platform is inside or outside your managed support scope, that ambiguity is itself the risk: ask your provider directly today whether your Unified CM system is covered, whether the WebDialer status has been checked, and whether the June patch has been applied. If the answer is unclear, that is the gap CVE-2026-20230 is exploiting.
What is the single most important thing to do today?
Determine your exposure. Within the next few hours, establish three facts: whether you run Cisco Unified CM, whether the WebDialer service is enabled, and whether you are on a patched release (14SU6 or 15SU5). Those three answers tell you whether this is an emergency for your business or a non-issue. If you are exposed — Unified CM running, WebDialer enabled, unpatched — patch or apply the WebDialer mitigation this week, restrict the interfaces from the internet, and check for signs of compromise given that exploitation has been live since 24 June. If you are not exposed, document why so you can answer the question confidently if a client, insurer or auditor asks. Either way, use this as the prompt to decide whether on-premise telephony still belongs in your business ahead of the January 2027 PSTN switch-off.

Turn this CVE into a telephony decision, not just a patch

CVE-2026-20230 is the clearest possible signal that owning an on-premise call-control appliance means owning its security forever. Cloudswitched delivers cloud-hosted VoIP, Microsoft Teams Voice and SIP trunking in partnership with Fidelity Group — moving patch responsibility off your team, protecting against toll fraud, and getting you ahead of the January 2027 PSTN switch-off in a single project. If your phone system has become a patching liability, this is where you fix it for good.

Talk to us about VoIP & Phone Systems
Tags:VoIPCyber SecurityNetwork AdminIT Support
CloudSwitched

London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.

CloudSwitched Service

VoIP & Phone Systems

Hosted telephony, Teams Voice and modern business communication solutions

Learn More

Technology Stack

Powered by industry-leading technologies including SolarWinds, Cloudflare, BitDefender, AWS, Microsoft Azure, and Cisco Meraki to deliver secure, scalable, and reliable IT solutions.

SolarWinds
Cloudflare
BitDefender
AWS
Hono
Opus
Office 365
Microsoft
Cisco Meraki
Microsoft Azure

Latest Articles

11
  • Google Ads & PPC

Negative Keywords: How to Stop Wasting Your Ad Budget

11 May, 2026

Read more
18
  • Internet & Connectivity

The Guide to Business Ethernet: EoFTTP, EAD, and More

18 Mar, 2026

Read more
27
  • Google Ads & PPC

Common Google Ads Mistakes and How to Avoid Them

27 May, 2026

Read more

Enquiry Received!

Thank you for getting in touch. A member of our team will review your enquiry and get back to you within 24 hours.