CVE-2026-20034
Received Received - Intake
Remote Code Execution in Cisco Unity Connection

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: Cisco Systems, Inc.

Description
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of a targeted device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-06
EPSS Evaluated
N/A
NVD
CVE-2026-20034
EUVD
EUVD-2026-27847
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cisco unity_connection *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-35 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows an authenticated, remote attacker to execute arbitrary code as root on the affected Cisco Unity Connection device, potentially leading to complete compromise of the device.

Such a compromise could result in unauthorized access to sensitive data or disruption of services, which may impact compliance with data protection standards and regulations like GDPR and HIPAA that require safeguarding of personal and health information.

However, the provided information does not explicitly describe the direct effects on compliance with these standards.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade to the fixed software releases provided by Cisco for Cisco Unity Connection, such as versions 14SU5, 15SU4, or apply the specific patch file for version 15.0.

There are no available workarounds, so applying the official updates is the recommended immediate step to prevent exploitation.


Can you explain this vulnerability to me?

This vulnerability exists in the web-based management interface of Cisco Unity Connection. It allows an authenticated remote attacker to execute arbitrary code on the affected device by submitting a specially crafted API request. The root cause is insufficient validation of user-supplied input, which enables the attacker to run code with root privileges, potentially leading to full device compromise.


How can this vulnerability impact me? :

If exploited, this vulnerability can allow an attacker with valid credentials to execute arbitrary code as root on the affected device. This could result in complete compromise of the device, including unauthorized access, data manipulation, disruption of services, and potential further attacks within the network.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart