Cisco: Code injection vulnerability in Unity Connection and other flaws

Network equipment provider Cisco has released eight security advisories, some addressing highly risky vulnerabilities in several products. The most serious appear to be security flaws in Cisco's Unity Connection, which allow for the injection and execution of malicious code.

Two vulnerabilities are found in Cisco's Unity Connection. The more severe one allows authenticated attackers from the network to inject and execute malicious code via manipulated API requests to the web-based management interface. The second flaw, however, affects the web user interface of the Unity Connection Web Inbox and allows unauthenticated actors from the network to perform a Server-Side Request Forgery (SSRF) attack.

The Managed Switches of the SG350 and SG350X series have a Denial-of-Service vulnerability that logged-in attackers can trigger with prepared SNMP requests. Unauthenticated malicious actors from the network can disable Cisco's Crosswork Network Controller (CNC) and Network Services Orchestrator (NSO) by sending many connection requests due to an improper implementation of a rate-limiting mechanism for network connections. Multiple flaws in Cisco's IoT Field Network Director also allow logged-in attackers from the network to execute commands, access files, and perform Denial-of-Service attacks on managed routers.

Overview of patched vulnerabilities

The security vulnerabilities in detail, sorted by severity:

• Cisco Unity Connection Remote Code Execution and Server-Side Request Forgery Vulnerabilities (CVE-2026-20034, CVSS 8.8; CVE-2026-20035, CVSS 7.2; both risk “high”)
• Cisco SG350 and SG350X Series Managed Switches SNMP Denial of Service Vulnerability (CVE-2026-20185, CVSS 7.7, risk “high”)
• Cisco Crosswork Network Controller and Cisco Network Services Orchestrator Connection Exhaustion Denial of Service Vulnerability (CVE-2026-20188, CVSS 7.5, risk “high”)
• Cisco IoT Field Network Director Vulnerabilities (CVE-2026-20167, CVSS 7.7, risk “high”; CVE-2026-20168, CVSS 6.5, risk “medium”; CVE-2026-20169, CVSS 6.4, risk “medium”)
• Cisco Slido Insecure Direct Object Reference Vulnerability (CVE-2026-20219, CVSS 5.4, risk “medium”)
• Cisco Identity Services Engine Authentication Bypass Vulnerabilities (CVE-2026-20195, CVSS 5.4; CVE-2026-20193, CVSS 4.3; both risk “medium”)
• Cisco Prime Infrastructure Information Disclosure Vulnerability (CVE-2026-20189, CVSS 4.3, risk “medium”)
• Cisco Enterprise Chat and Email Lite Agent File Upload Vulnerability (CVE-2026-20172, CVSS 4.3, risk “medium”)

Most recently, Cisco closed several security vulnerabilities in various products in mid-April. The developers closed ten security flaws there, for example in Cisco's Identity Services Engine and Webex.

(dmk)