CISCO has released patches for several high-severity vulnerabilities in its enterprise products, including two in Unity Connection that could enable code execution or service disruption. The flaws, CVE-2026-20034 and CVE-2026-20035, could allow a remote attacker to trigger SSRF or run arbitrary code on affected devices, with exploitation stemming from improper input validation in the Unity Connection components.
According to Cisco, one vulnerability in Unity Connection could let an authenticated remote attacker execute arbitrary root-level code via a crafted API request, while another in the Web Inbox UI could allow an unauthenticated attacker to perform SSRF by sending crafted HTTP requests. Cisco PSIRT said it is not aware of any public reports or active malicious exploitation of these vulnerabilities.
The company has published fixes and notes that there are no workarounds for the issues, with affected releases including multiple versions of Unity Connection and a listed migration path to fixed releases. 07 May 2026