Ddos 
Cisco has issued a high-priority security advisory regarding multiple vulnerabilities in Cisco Unity Connection that could allow adversaries to seize control of affected systems or orchestrate sophisticated network incursions.
The vulnerabilities, which carry a significant security impact, involve a dangerous combination of Remote Code Execution (RCE) and Server-Side Request Forgery (SSRF). Security researchers warn that these flaws could lead to a “complete compromise of a targeted device” if successfully exploited.
The advisory highlights two primary vulnerabilities that, while residing within the same product, operate independently of one another.
The more severe of the two, CVE-2026-20034, is an RCE vulnerability found in the web-based management interface. Cisco notes that this flaw is “due to insufficient validation of user-supplied input”.
An authenticated attacker can submit a “crafted API request” to trigger the flaw. A successful exploit is devastating, as it allows the attacker to “execute arbitrary code as root”. To launch this attack, the perpetrator must already possess “valid user credentials on the affected device”.
The second flaw, CVE-2026-20035, targets the Web Inbox feature, which is enabled by default in Cisco Unity Connection. Unlike the RCE flaw, this can be exploited by an unauthenticated attacker. By sending a “crafted HTTP request,” an attacker can manipulate the server into acting as a proxy.
This allows the attacker to “send arbitrary network requests that are sourced from the affected device,” potentially bypassing internal firewalls to probe deeper into the corporate network.
Cisco warns that CVE-2026-20034 affects the product “regardless of device configuration”. However, CVE-2026-20035 is specific to environments where the Web Inbox is active.
To verify your status, Cisco recommends administrators navigate the Cisco Unity Connection Administration interface to the Class of Service settings. Within the Licensed Features section, verify the status of the checkbox labeled “Allow Users to Use the Web Inbox and RSS Feeds”.
There are no workarounds that address this vulnerability for either flaw. The only path to safety is a prompt software update.
| Cisco Unity Connection Release | First Fixed Release |
| 12.5 and earlier |
Migrate to a fixed release |
| 14.0 |
14SU5 |
| 15.0 |
15SU4 or specific patch file |
For those on version 15.0, a dedicated patch—ciscocm.cuc.V15 CSCwq36774-CSCwq36834 C0277-1.zip—is available to address both Bug IDs.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
