A vulnerability in the web‑based management interface of Cisco Unity Connection permits an authenticated remote attacker to inject SQL statements by sending a specially crafted HTTP(S) request. The flaw stems from insufficient validation of user‑supplied input, consistent with CWE‑89. Successful exploitation enables the attacker to read data stored on the affected device, thereby compromising the confidentiality of that information. The impact is limited to disclosure; there is no evidence of privilege escalation or execution of arbitrary code.

The vendor and product affected is Cisco Unity Connection. Specific version information is not publicly disclosed in the available advisory, so all installations of Cisco Unity Connection that remain unpatched are potentially vulnerable unless a later update contains a fix.

The CVSS score of 4.3 indicates a moderate overall rating. EPSS data is not available, and the vulnerability is not listed in CISA's KEV catalog, suggesting the exploit has not been observed in the wild. Attackers must possess valid credentials and use the web management interface, suggesting the attack vector is remote but authenticated. Inferred from the description, the attacker can send crafted requests over the network to perform the injection. The risk level is moderate, with the primary concern being unauthorized data access rather than system compromise.