CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

Cisco Unity Connection Remote Code Execution and Server-Side Request Forgery Vulnerabilities

highCVE-2026-20034CVE-2026-20035
Multiple vulnerabilities in Cisco Unity Connection could allow a remote attacker to execute arbitrary code on or conduct server-side request forgery (SSRF) attacks through an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-unity-rce-ssrf-hENhuASy Security Impact Rating: High CVE: CVE-2026-20034,CVE-2026-20035

CSIRTS triage

What
Multiple vulnerabilities could allow a remote attacker to execute arbitrary code or conduct server-side request forgery attacks.
Who is affected
Users of Cisco Unity Connection are affected.
Urgency
Remediation is urgent due to the high risk of remote code execution and SSRF attacks.
Action
Update to the latest version of Cisco Unity Connection.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch Cisco Unity Connection

Get an email when a new Cisco Unity Connection advisory drops — max one per day, one-click unsubscribe.

Details

Source
Cisco Security Advisories (INTL · vendor-psirt · site)
Severity
high
Published
2026-05-06
Exploitation
Not in CISA KEV at last sync

Original advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-unity-rce-ssrf-hENhuASy?vs_f=Cisco%20Security%20Advisory%26vs_cat=Security%20Intelligence%26vs_type=RSS%26vs_p=Cisco%20Unity%20Connection%20Remote%20Code%20Execution%20and%20Server-Side%20Request%20Forgery%20Vulnerabilities%26vs_k=1

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-20034coverage & exploitation statusNVD · CVE.org
CVE-2026-20035coverage & exploitation statusNVD · CVE.org

Recent advisories for Cisco Unity Connection

A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.

More from Cisco Security Advisories