Description
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to redirect a user to a malicious web page.

This vulnerability is due to improper input validation of HTTP request parameters. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious web page.
Published: 2026-04-15
Score: 4.7 Medium
EPSS: n/a
KEV: No
Impact: Open Redirect to malicious site
Action: Patch Immediately
AI Analysis

Impact

A vulnerability in the web-based management interface of Cisco Unity Connection permits an unauthenticated remote attacker to manipulate HTTP request parameters so that a user is redirected to a malicious web page. This open redirect flaw enables phishing or credential-stealing campaigns by piggybacking on legitimate user traffic. The weakness is rooted in unvalidated input handling, classifying it as a CWE-601 Open Redirect condition.

Affected Systems

Cisco Unity Connection – a unified communications platform. No specific affected versions are listed in the advisory, so the vulnerability may exist in multiple releases of the web management interface.

Risk and Exploitability

The CVSS base score of 4.7 indicates moderate risk, and the lack of an EPSS score means the likelihood of exploitation cannot be quantified from publicly available data. The vulnerability is not catalogued in the CISA KEV list. Exposing the management interface to the internet or allowing users to follow forged links provides a straightforward attack vector, enabling the attacker to redirect users to malicious sites and facilitate phishing or other social-engineering attacks.

Generated by OpenCVE AI on April 15, 2026 at 19:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Cisco Unity Connection patch released in the referenced advisory to fix input validation.
  • If a patch is unavailable or delayed, restrict external access to the management interface or enable network-level authentication to limit exposure.
  • Implement URL whitelisting or blacklist filters on the application or web proxy to prevent unexpected redirects.

Generated by OpenCVE AI on April 15, 2026 at 19:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of HTTP request parameters. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious web page.
Title Cisco Unity Connection Open Redirect Vulnerability
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-04-15T16:56:34.222Z

Reserved: 2025-10-08T11:59:15.356Z

Link: CVE-2026-20060

cve-icon Vulnrichment

Updated: 2026-04-15T16:56:16.599Z

cve-icon NVD

Status : Received

Published: 2026-04-15T17:17:01.250

Modified: 2026-04-15T17:17:01.250

Link: CVE-2026-20060

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T19:30:12Z

Weaknesses