Description
Multiple vulnerabilities in Cisco Unity Connection could allow an authenticated, remote attacker to download arbitrary files from an affected system. To exploit these vulnerabilities, the attacker must have valid administrative credentials. 

These vulnerabilities are due to improper sanitization of user input to the web-based management interface. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request. A successful exploit could allow the attacker to download arbitrary files from an affected system.
Published: 2026-04-15
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: Remote File Download
Action: Apply Patch
AI Analysis

Impact

This vulnerability allows an authenticated user with administrative privileges to download any file from a Cisco Unity Connection server. The flaw arises from inadequate sanitization of input to the web‑based administration interface, enabling a path traversal attack. An attacker who can send a crafted HTTPS request can cause the server to return the contents of arbitrary files, potentially exposing sensitive configuration or credential data.

Affected Systems

The flaw affects Cisco Unity Connection software. No specific version range is provided; any installation that has not applied the latest security updates may be vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS base score of 6.5, indicating a moderate impact. Exploitation requires valid administrative credentials and a remote HTTPS connection to the management interface. No exploit probability is available, and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, suggesting that it has not yet been widely exploited. However, the ability to download arbitrary files poses significant confidentiality risks if administrative access is compromised.

Generated by OpenCVE AI on April 15, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Cisco Unity Connection patch or upgrade to a version that includes the fix.
  • Restrict administrative access to trusted personnel and enforce strong, regularly changed passwords.
  • Disable remote HTTPS management access unless it is essential for operations, and monitor the management interface for anomalous download attempts.

Generated by OpenCVE AI on April 15, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco unity Connection
Vendors & Products Cisco
Cisco unity Connection

Wed, 15 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Multiple vulnerabilities in Cisco Unity Connection could allow an authenticated, remote attacker to download arbitrary files from an affected system. To exploit these vulnerabilities, the attacker must have valid administrative credentials.  These vulnerabilities are due to improper sanitization of user input to the web-based management interface. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request. A successful exploit could allow the attacker to download arbitrary files from an affected system.
Title Cisco Unity Connection Arbitrary File Download Vulnerability
Weaknesses CWE-23
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Cisco Unity Connection
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-04-15T17:06:37.914Z

Reserved: 2025-10-08T11:59:15.363Z

Link: CVE-2026-20081

cve-icon Vulnrichment

Updated: 2026-04-15T16:56:34.848Z

cve-icon NVD

Status : Received

Published: 2026-04-15T17:17:01.783

Modified: 2026-04-15T17:17:01.783

Link: CVE-2026-20081

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:45:06Z

Weaknesses