—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in Cisco Unity Connection

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Cisco Unity Connection versions prior to 12.5 and 12.5

Cisco Unity Connection versions 14.0 and 15.0

Overview

Multiple vulnerabilities have been reported in the Cisco Unity Connection’s web-based management interface that could allow a remote attacker to conduct server-side request forgery (SSRF) attacks through an affected system and execute arbitrary code on the targeted system, potentially resulting in complete system compromise.

Target Audience:

All organizations and individuals using Cisco Unity Connection.

Risk Assessment:

High risk of remote code execution, SSRF exploitation, privilege escalation.

Impact Assessment:

Execution of unauthorized code or commands, unauthorized access and disclosure of sensitive information.

Description

Cisco Unity Connection (CUC) is a robust unified messaging and voicemail solution that provides users with flexible message access options and IT with management simplicity.

These vulnerabilities exist due to insufficient and improper validation of user-supplied input within Cisco Unity Connection. An attacker could exploit these vulnerabilities by sending specially crafted API and HTTP requests to the targeted system.

Successful exploitation of these vulnerabilities could allow a remote attacker to conduct server-side request forgery (SSRF) attacks through an affected system and execute arbitrary code on the targeted system, potentially resulting in complete system compromise.

Solution

Apply appropriate updates as mentioned in the vendor advisory:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-unity-rce-ssrf-hENhuASy

Vendor Information

Cisco

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-unity-rce-ssrf-hENhuASy

References

 

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-unity-rce-ssrf-hENhuASy

CVE Name

CVE-2026-20034

CVE-2026-20035

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmoMek8ACgkQ3jCgcSdc

ys9+DA/7BvU0o6xijipP4r5OpxGvsHMj12RFBvWnQRbD09Tw88Je6AGT16FZLSgz

NQiO6vyVsE1/Vl/jVamVbDkS4DOLYR4ok91JJgxQWiUbmTDtFoia4BzSzoXPMzi5

MylrKeFpXK9bAQqDntHK8wLDEaxGC2jS7ke33xxET/R/pMp60/RnifwxU/iOWAxt

3uwIWZxNmX2ULiIknQIHljd1GfFkDCBh6/R4TJHZbgcT+SQX1yoxZ7z4Jx9PIPzd

eRPA+8ee1SiiiOD2UidZJDzZ8PmWG4ETILky0iW6GGcY1FCZeKjkzIgai7Ew3nUO

Hsns3PWZVnhM9VOu6sn+YTD79bzAYHRKQ4Hf85Bq6GTPYOUFl+2s/c1kPoIk1upL

9uaBGEG/v8fW/fKTrYKNsZ+xtHjGNvd3C9pfhy4B13y4x3mabT1yTmeQ9itl/uiv

Kaiqb0lnwzmJ5gUykftIONJwS2RI13YGmShpCrct7aqV/g6Yhx9uknLBaeYSAjsF

voLD3tU1Ncv0IkL/flVt2cbyTEh/BkkJuT49fWto5HinzytykdWCXga/Nijr6u4J

XvvUZ8CaTyz+68VLOiGNGigJOE+lYtYfWheOlRRh7YawNS7N7YKTTG9DrXZG0AKO

ck0JYGG9nPXfiybgcwRXiCJQX4Twx/hzvCbvBVUaDI4409e5O5s=

=fgba

—–END PGP SIGNATURE—–