CVE-2026-20034

Medienbericht

EPSS 0.45%
Veröffentlicht 06.05.2026 16:16:05
Zuletzt bearbeitet 06.05.2026 18:59:53
Quelle psirt@cisco.com
CVE-Watchlists
Login
Unerledigt
Login

Cisco Unity Connection Remote Code Execution Vulnerability

A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to execute arbitrary code on an affected device.

This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of a targeted device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerCisco

≫

Produkt Cisco Unity Connection

Default Statusunknown

Version 12.5(1)

Status affected

Version 12.5(1)SU1

Status affected

Version 12.5(1)SU2

Status affected

Version 12.5(1)SU3

Status affected

Version 12.5(1)SU4

Status affected

Version 14

Status affected

Version 12.5(1)SU5

Status affected

Version 14SU1

Status affected

Version 12.5(1)SU6

Status affected

Version 14SU2

Status affected

Version 12.5(1)SU7

Status affected

Version 14SU3

Status affected

Version 12.5(1)SU8

Status affected

Version 14SU3a

Status affected

Version 12.5(1)SU8a

Status affected

Version 15

Status affected

Version 15SU1

Status affected

Version 14SU4

Status affected

Version 12.5(1)SU9

Status affected

Version 15SU2

Status affected

Version 15SU3

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.45%	0.635

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
psirt@cisco.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-35 Path Traversal: '.../...//'

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.

https://thehackernews.com/2026/05/weekly-recap-linux-rootkit-macos-crypto.html

Media Report

https://www.heise.de/news/Cisco-Codeschmuggel-Leck-in-Unity-Connection-und-weitere-Luecken-11285115.html

Media Report

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-unity-rce-ssrf-hENhuASy

https://nvd.nist.gov/vuln/detail/CVE-2026-20034

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-20034

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-20034

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-20034