CVE-2026-20078
MEDIUMCisco Unity Connection Arbitrary File Download Vulnerability
Title source: cnaDescription
Multiple vulnerabilities in Cisco Unity Connection could allow an authenticated, remote attacker to download arbitrary files from an affected system. To exploit these vulnerabilities, the attacker must have valid administrative credentials. These vulnerabilities are due to improper sanitization of user input to the web-based management interface. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request. A successful exploit could allow the attacker to download arbitrary files from an affected system.
References (1)
Core 1
Core References
cisco-sa-unity-file-download-RmKEVWPx
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-unity-file-download-RmKEVWPx
Scores
CVSS v3
6.5
EPSS
0.0039
EPSS Percentile
30.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-23
Status
published
Products (34)
Cisco/Cisco Unity Connection
12.5(1)
Cisco/Cisco Unity Connection
12.5(1)SU1
Cisco/Cisco Unity Connection
12.5(1)SU2
Cisco/Cisco Unity Connection
12.5(1)SU3
Cisco/Cisco Unity Connection
12.5(1)SU4
Cisco/Cisco Unity Connection
12.5(1)SU5
Cisco/Cisco Unity Connection
12.5(1)SU6
Cisco/Cisco Unity Connection
12.5(1)SU7
Cisco/Cisco Unity Connection
12.5(1)SU8
Cisco/Cisco Unity Connection
12.5(1)SU8a
... and 24 more
Published
Apr 15, 2026
Tracked Since
Apr 15, 2026