Cisco Unity Connection Vulnerabilities (CVE‑2026‑20034 & CVE‑2026‑20035) Enable SSRF and Remote Code Execution
What Happened – Cisco disclosed and patched multiple high‑severity flaws in its Unity Connection platform. CVE‑2026‑20034 allows an authenticated attacker to execute arbitrary root‑level code via a crafted API request, while CVE‑2026‑20035 enables an unauthenticated attacker to perform server‑side request forgery (SSRF) through the Web Inbox UI.
Why It Matters for TPRM –
- Exploitation can lead to full device compromise, giving threat actors footholds inside corporate networks.
- SSRF can be leveraged to pivot to internal services, exposing downstream vendors and cloud workloads.
- The vulnerabilities affect widely deployed Cisco telephony/voicemail solutions, a common third‑party component in many enterprises.
Who Is Affected – Enterprises that use Cisco Unity Connection (versions 12.5‑earlier, 14.0, 15.0) across sectors such as technology SaaS, telecommunications, government, and financial services.
Recommended Actions –
- Verify that all Unity Connection instances are running the fixed releases (14SU5, 15SU4, or later).
- Conduct an inventory of Cisco telephony/voicemail assets and map them to business processes.
- Apply the Cisco patch immediately; where patching is delayed, isolate the device and monitor for anomalous outbound traffic.
Technical Notes –
- Attack Vector: Authenticated API abuse (CVE‑2026‑20034) and unauthenticated HTTP request manipulation (CVE‑2026‑20035).
- CVEs: CVE‑2026‑20034 (remote code execution, requires valid credentials) and CVE‑2026‑20035 (SSRF, no credentials required).
- Potential Impact: Arbitrary code execution as root, internal network reconnaissance, denial‑of‑service.
- Mitigations: No known work‑arounds; patch is the sole remediation.
Source: Security Affairs