CVE-2026-20034 | THREATINT

Description

A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of a targeted device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device.

PUBLISHED Reserved 2025-10-08 | Published 2026-05-06 | Updated 2026-05-07 | Assigner cisco

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Path Traversal: '.../...//'

Product status

Default status

unknown

12.5(1)

affected

12.5(1)SU1

affected

12.5(1)SU2

affected

12.5(1)SU3

affected

12.5(1)SU4

affected

12.5(1)SU5

affected

14SU1

affected

12.5(1)SU6

affected

14SU2

affected

12.5(1)SU7

affected

14SU3

affected

12.5(1)SU8

affected

14SU3a

affected

12.5(1)SU8a

affected

15SU1

affected

14SU4

affected

12.5(1)SU9

affected

15SU2

affected

15SU3

affected

References

sec.cloudapps.cisco.com/.../cisco-sa-unity-rce-ssrf-hENhuASy (cisco-sa-unity-rce-ssrf-hENhuASy)

cve.org (CVE-2026-20034)

nvd.nist.gov (CVE-2026-20034)

Download JSON