CVE-2026-20034
Received Received - Intake
Remote Code Execution in Cisco Unity Connection

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: Cisco Systems, Inc.

Description
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of a targeted device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-20034
EUVD
EUVD-2026-27847
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cisco unity_connection *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-35 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the web-based management interface of Cisco Unity Connection. It allows an authenticated remote attacker to execute arbitrary code on the affected device by submitting a specially crafted API request. The root cause is insufficient validation of user-supplied input, which enables the attacker to run code with root privileges, potentially leading to full device compromise.

Impact Analysis

If exploited, this vulnerability can allow an attacker with valid credentials to execute arbitrary code as root on the affected device. This could result in complete compromise of the device, including unauthorized access, data manipulation, disruption of services, and potential further attacks within the network.

Compliance Impact

The vulnerability allows an authenticated, remote attacker to execute arbitrary code as root on the affected Cisco Unity Connection device, potentially leading to complete compromise of the device.

Such a compromise could result in unauthorized access to sensitive data or disruption of services, which may impact compliance with data protection standards and regulations like GDPR and HIPAA that require safeguarding of personal and health information.

However, the provided information does not explicitly describe the direct effects on compliance with these standards.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade to the fixed software releases provided by Cisco for Cisco Unity Connection, such as versions 14SU5, 15SU4, or apply the specific patch file for version 15.0.

There are no available workarounds, so applying the official updates is the recommended immediate step to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20034. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart