CVE-2026-20060
Open Redirect Vulnerability in Cisco Unity Connection Web Interface
Publication date: 2026-04-15
Last updated on: 2026-04-28
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | unity_connection | 14.0 |
| cisco | unity_connection | 14su3 |
| cisco | unity_connection | 14su2 |
| cisco | unity_connection | 14su1 |
| cisco | unity_connection | 14su3a |
| cisco | unity_connection | 14su4 |
| cisco | unity_connection | 15.0 |
| cisco | unity_connection | 15su1 |
| cisco | unity_connection | 15su2 |
| cisco | unity_connection | 15su3 |
| cisco | unity_connection | to 12.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the web-based management interface of Cisco Unity Connection. It allows an unauthenticated, remote attacker to redirect a user to a malicious web page by exploiting improper input validation of HTTP request parameters.
An attacker can exploit this by persuading a user to click on a specially crafted link, which then causes the redirection.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker could redirect users to malicious websites without authentication. This could lead to phishing attacks, malware downloads, or other malicious activities initiated by the attacker.
The CVSS score of 4.7 indicates a medium severity, with the main impact being on integrity due to the potential for malicious redirection.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper input validation of HTTP request parameters in the web-based management interface of Cisco Unity Connection, which can be exploited by crafted links causing redirection to malicious web pages.
Detection would involve monitoring HTTP requests to the Cisco Unity Connection management interface for suspicious or crafted URLs that attempt to redirect users.
Specific commands or tools to detect this vulnerability are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to apply the software updates released by Cisco that address this issue.
No workarounds are available, so timely patching is critical to prevent exploitation.