CVE-2026-20175
Awaiting Analysis Awaiting Analysis - Queue
Cisco Finesse Remote File Inclusion Vulnerability

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: Cisco Systems, Inc.

Description
A vulnerability in Cisco Finesse could allow an unauthenticated, remote attacker to load arbitrary files from remote locations into an active user session on an affected device, possibly leading to browser-based attacks. This vulnerability is due to insufficient validation of user-supplied input for HTTP requests that are sent to an affected device. An attacker who has knowledge of the address of the affected device could exploit this vulnerability by persuading a user to click a crafted link that contains the affected device address. A successful exploit could allow the attacker to conduct browser-based attacks and execute arbitrary script code in the context of the affected interface or access sensitive information on the affected device.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-20175
EUVD
EUVD-2026-34136
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cisco finesse to 15.0 (exc)
cisco finesse *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Cisco Finesse allows an attacker to execute arbitrary script code or access sensitive information by exploiting insufficient validation of user-supplied input. This could potentially lead to unauthorized access to sensitive data.

Such unauthorized access or exposure of sensitive information may impact compliance with data protection standards and regulations like GDPR or HIPAA, which require safeguarding personal and sensitive data against unauthorized access or breaches.

However, the provided information does not explicitly state the direct impact on compliance with these standards or any specific regulatory consequences.

Executive Summary

CVE-2026-20175 is a Remote File Inclusion vulnerability in Cisco Finesse that allows an unauthenticated remote attacker to load arbitrary files from remote locations into an active user session on an affected device.

This happens because the device does not properly validate user-supplied input in HTTP requests. An attacker who knows the address of the affected device can exploit this by tricking a user into clicking a specially crafted link containing that address.

Successful exploitation could lead to browser-based attacks, including executing arbitrary script code within the affected interface or accessing sensitive information on the device.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary scripts in the context of the affected Cisco Finesse interface.

Such attacks could lead to unauthorized access to sensitive information on the device or manipulation of the user session.

Because the attacker can load arbitrary remote files, it increases the risk of browser-based attacks that compromise the security and integrity of the affected system.

Detection Guidance

There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.

Mitigation Strategies

To mitigate this vulnerability, Cisco recommends upgrading Cisco Finesse to the fixed software version 15.0(1)SU1 or later.

No workarounds are available, so applying the software update is the primary and immediate step to fully remediate the issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20175. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart