Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability in Cisco Finesse could allow an unauthenticated, remote attacker to load arbitrary files from remote locations into an active user session on an affected device, possibly leading to browser-based attacks.
This vulnerability is due to insufficient validation of user-supplied input for HTTP requests that are sent to an affected device. An attacker who has knowledge of the address of the affected device could exploit this vulnerability by persuading a user to click a crafted link that contains the affected device address. A successful exploit could allow the attacker to conduct browser-based attacks and execute arbitrary script code in the context of the affected interface or access sensitive information on the affected device.
AnalysisAI
Remote File Inclusion (RFI) in Cisco Finesse enables unauthenticated remote attackers to load attacker-controlled files into an active user's browser session by exploiting insufficient validation of user-supplied HTTP request parameters. Exploitation requires social engineering an authenticated Finesse user into clicking a crafted URL referencing the affected device - no server-side authentication is needed from the attacker's perspective. A successful attack results in arbitrary JavaScript execution within the Finesse interface context (browser-based XSS-class impact) or unauthorized access to sensitive contact center information; no public exploit identified at time of analysis.
Technical ContextAI
CWE-73 (External Control of File Name or Path) describes a class of vulnerabilities where attacker-controlled input determines a file path or URL that the application then loads. In Cisco Finesse - a web-based agent desktop used in enterprise contact centers - HTTP request parameters are insufficiently sanitized, allowing an external URL to be injected and subsequently fetched or rendered by the Finesse interface in the context of a logged-in user's session. The resulting behavior is consistent with Remote File Inclusion: the server or browser is directed to retrieve and process a resource from an attacker-controlled origin, enabling script injection. The CPE string cpe:2.3:a:cisco:cisco_finesse:*:*:*:*:*:*:*:* uses a wildcard version field, indicating that all released versions of the Cisco Finesse application are potentially in scope per NVD data. The Changed Scope (S:C) in the CVSS vector confirms that the impact extends beyond the vulnerable component itself - from the server-side input handler into the victim's browser environment.
RemediationAI
Consult the Cisco Security Advisory cisco-sa-finesse-rfi-gwpkdc89 at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-finesse-rfi-gwpkdc89 for official patch availability and specific fixed versions - no exact patched version number was present in the available intelligence data and should not be assumed. As a compensating control while patching is assessed, organizations should train Cisco Finesse agents not to follow unsolicited links referencing the Finesse device address, particularly those delivered via email, chat, or other communication channels; this directly addresses the required user-interaction step (UI:R). Web proxy or email security controls capable of inspecting and blocking outbound URLs that reference internal Finesse hostnames can reduce the delivery surface, though these controls add operational overhead and may interfere with legitimate workflows. Restricting Finesse agent desktops from resolving or fetching external URLs via browser policy (e.g., content security policies enforced at a reverse proxy) could limit the impact of successful RFI injection without requiring an immediate application patch.
Same weakness CWE-73 – External Control of File Name or Path
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34136
GHSA-2vpr-x5cr-vrgv