Cyber Resilience

CVE-2026-20034

High

Published: 06 May 2026

Published
06 May 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0070 48.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-20034 is a high-severity Path Traversal: '.../...//' (CWE-35) vulnerability in Cisco Unity Connection (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this…

more

vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of a targeted device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Authenticated RCE via crafted API request to web management interface enables T1190 (public-facing app exploitation) and T1068 (priv esc to root).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25397Shared CWE-35
CVE-2025-59099Shared CWE-35
CVE-2025-26356Shared CWE-35
CVE-2026-42930Shared CWE-35
CVE-2026-25705Shared CWE-35
CVE-2024-54362Shared CWE-35
CVE-2026-7302Shared CWE-35
CVE-2025-26354Shared CWE-35
CVE-2025-67914Shared CWE-35
CVE-2025-59793Shared CWE-35

Affected Assets

Cisco
Unity Connection
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References