Cisco Unity Connection flaws CVE-2026-20034 and CVE-2026-20035 allow remote code execution and SSRF
Cisco's May 6 PSIRT advisory discloses multiple vulnerabilities in Unity Connection, tracked as CVE-2026-20034 and CVE-2026-20035, that could let a remote attacker execute arbitrary code on an affected device or conduct .
At a glance
- CVE-2026-20034 and CVE-2026-20035 in Cisco Unity Connection enable remote code execution and SSRF, rated High impact
- Cisco released software updates; no workarounds exist, per the advisory
VERDICT — CONFIRMED
Cisco disclosed multiple vulnerabilities in Unity Connection, tracked as CVE-2026-20034 and CVE-2026-20035, in a PSIRT security advisory published May 6.
Per the advisory, the flaws could let a remote attacker execute arbitrary code on an affected device or conduct server-side request forgery attacks through it. Cisco rates the security impact of the advisory High.
Cisco has released software updates that address the vulnerabilities, per the advisory, and — significantly for defenders — states that no workarounds address the flaws. That combination leaves patching as the only remediation path for affected Unity Connection deployments.
The affected version ranges, CVSS scores and exploitation status were not included in the material reviewed; administrators should consult the advisory directly for fixed-release mapping. The advisory itself is the confirmed source; no in-the-wild exploitation was asserted in the material reviewed.
Key facts on file
- CVE-2026-20034 and CVE-2026-20035 in Cisco Unity Connection enable remote code execution and SSRF, rated High impact
- Cisco released software updates; no workarounds exist, per the advisory
