Skip to main content

Cisco Finesse CVE-2026-20175

| EUVDEUVD-2026-34136 MEDIUM
External Control of File Name or Path (CWE-73)
2026-06-03 cisco GHSA-2vpr-x5cr-vrgv
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 03, 2026 - 18:22 vuln.today
CVE Published
Jun 03, 2026 - 16:06 nvd
MEDIUM 6.1

DescriptionCVE.org

A vulnerability in Cisco Finesse could allow an unauthenticated, remote attacker to load arbitrary files from remote locations into an active user session on an affected device, possibly leading to browser-based attacks.

This vulnerability is due to insufficient validation of user-supplied input for HTTP requests that are sent to an affected device. An attacker who has knowledge of the address of the affected device could exploit this vulnerability by persuading a user to click a crafted link that contains the affected device address. A successful exploit could allow the attacker to conduct browser-based attacks and execute arbitrary script code in the context of the affected interface or access sensitive information on the affected device.

AnalysisAI

Remote File Inclusion (RFI) in Cisco Finesse enables unauthenticated remote attackers to load attacker-controlled files into an active user's browser session by exploiting insufficient validation of user-supplied HTTP request parameters. Exploitation requires social engineering an authenticated Finesse user into clicking a crafted URL referencing the affected device - no server-side authentication is needed from the attacker's perspective. A successful attack results in arbitrary JavaScript execution within the Finesse interface context (browser-based XSS-class impact) or unauthorized access to sensitive contact center information; no public exploit identified at time of analysis.

Technical ContextAI

CWE-73 (External Control of File Name or Path) describes a class of vulnerabilities where attacker-controlled input determines a file path or URL that the application then loads. In Cisco Finesse - a web-based agent desktop used in enterprise contact centers - HTTP request parameters are insufficiently sanitized, allowing an external URL to be injected and subsequently fetched or rendered by the Finesse interface in the context of a logged-in user's session. The resulting behavior is consistent with Remote File Inclusion: the server or browser is directed to retrieve and process a resource from an attacker-controlled origin, enabling script injection. The CPE string cpe:2.3:a:cisco:cisco_finesse:*:*:*:*:*:*:*:* uses a wildcard version field, indicating that all released versions of the Cisco Finesse application are potentially in scope per NVD data. The Changed Scope (S:C) in the CVSS vector confirms that the impact extends beyond the vulnerable component itself - from the server-side input handler into the victim's browser environment.

RemediationAI

Consult the Cisco Security Advisory cisco-sa-finesse-rfi-gwpkdc89 at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-finesse-rfi-gwpkdc89 for official patch availability and specific fixed versions - no exact patched version number was present in the available intelligence data and should not be assumed. As a compensating control while patching is assessed, organizations should train Cisco Finesse agents not to follow unsolicited links referencing the Finesse device address, particularly those delivered via email, chat, or other communication channels; this directly addresses the required user-interaction step (UI:R). Web proxy or email security controls capable of inspecting and blocking outbound URLs that reference internal Finesse hostnames can reduce the delivery surface, though these controls add operational overhead and may interfere with legitimate workflows. Restricting Finesse agent desktops from resolving or fetching external URLs via browser policy (e.g., content security policies enforced at a reverse proxy) could limit the impact of successful RFI injection without requiring an immediate application patch.

Share

CVE-2026-20175 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy