Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Primary rating from Vendor (cisco) · only source for this CVE.
CVSS VectorVendor: cisco
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability in the web UI of Cisco Unity Connection Web Inbox could allow an unauthenticated, remote attacker to conduct SSRF attacks through an affected device.
This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to send arbitrary network requests that are sourced from the affected device.
AnalysisAI
Server-Side Request Forgery (SSRF) in Cisco Unity Connection Web Inbox allows remote unauthenticated attackers to send arbitrary network requests sourced from the vulnerable server. The vulnerability affects the web UI component and requires no authentication, privileges, or user interaction (CVSS AV:N/AC:L/PR:N/UI:N), enabling attackers to abuse the server's network position for internal network reconnaissance, service enumeration, or attacks against backend systems. The changed scope (S:C) indicates impact extends beyond the vulnerable component to other network resources accessible from the Unity Connection server.
Technical ContextAI
Cisco Unity Connection is a unified messaging platform providing voicemail, email, and fax services integrated with Cisco call control systems. This vulnerability resides in the Web Inbox interface, a web-based portal for accessing voicemail and messages. The root cause is CWE-918 (Server-Side Request Forgery), where the application fails to properly validate HTTP request parameters before using them to initiate outbound network connections. The CPE identifier (cpe:2.3:a:cisco:cisco_unity_connection:*:*:*:*:*:*:*:*) indicates all versions may be affected pending vendor clarification. SSRF vulnerabilities allow attackers to abuse the server as a proxy, leveraging its trusted network position and internal access to reach resources that would otherwise be blocked by firewalls or network segmentation. In enterprise environments, Unity Connection servers typically have access to internal VoIP infrastructure, directory services, and backend authentication systems.
RemediationAI
Consult the official Cisco Security Advisory cisco-sa-unity-rce-ssrf-hENhuASy at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-unity-rce-ssrf-hENhuASy for patch availability and exact fixed software versions - the CVE data does not include confirmed patch version numbers. Until patching is complete, implement compensating controls: restrict network access to the Unity Connection Web Inbox interface using firewall rules or access control lists, permitting only trusted source IP addresses or internal network segments. Disable external access to the Web Inbox entirely if users can access voicemail through alternative interfaces (Cisco Jabber, phone-based TUI). Deploy egress filtering on the Unity Connection server to block outbound connections to RFC 1918 private address ranges, cloud metadata endpoints (169.254.169.254, fd00:ec2::254), and sensitive internal services, though this may impact legitimate integrations and requires testing. Monitor Unity Connection HTTP access logs and firewall logs for unusual outbound connection attempts or scanning patterns originating from the server. Note that network-layer mitigations reduce but do not eliminate SSRF risk, as attackers may still target allowed destinations or exploit application-layer protocols.
More in Cisco Unity Connection
View allSame weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27848
GHSA-w7jh-xmq5-2m7v