Back to search

Cisco

Unity Connection (CUC)

Cisco voicemail and unified messaging platform.

15 Current train 14 Switch to this train
Current version
Last checked: 2026-06-03

15SU4

Release date
February 04, 2026
Security status
2 high-severity CVEs tracked in the last 90 days. Current version not affected.

Source

Vendor Release Information

Public release notes are linked for the latest stored release.

View release notes Subscribe to updates

Release history

See the latest published releases stored for this product.

Version Published Notes
15SU4 2026-02-04 Release Notes
15SU3 2025-07-31 Release Notes

Vulnerability tracking

versionPing monitors CVEs for this product. Matching CVEs are listed below. We only display CVEs with a CVSS score of 7.0 or higher that were published within the last 90 days.

Affected status is inferred from published affected version ranges where available. Always verify against the vendor advisory before making production decisions.

CVE Severity Published Status Summary
CVE-2026-20035 HIGH (7.2) 2026-05-06 Current versionnot affected

A vulnerability in the web UI of Cisco Unity Connection Web Inbox could allow an unauthenticated, remote attacker to conduct SSRF attacks through an affected device. This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to send arbitrary network requests that are sourced from the affected device.

Affected versions
  • 12.5(1)
  • 12.5(1)SU1
Show 19 more
  • 12.5(1)SU2
  • 12.5(1)SU3
  • 12.5(1)SU4
  • 14
  • 12.5(1)SU5
  • 14SU1
  • 12.5(1)SU6
  • 14SU2
  • 12.5(1)SU7
  • 14SU3
  • 12.5(1)SU8
  • 14SU3a
  • 12.5(1)SU8a
  • 15
  • 15SU1
  • 14SU4
  • 12.5(1)SU9
  • 15SU2
  • 15SU3
CVE-2026-20034 HIGH (8.8) 2026-05-06 Current versionnot affected

A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of a targeted device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device.

Affected versions
  • 12.5(1)
  • 12.5(1)SU1
Show 19 more
  • 12.5(1)SU2
  • 12.5(1)SU3
  • 12.5(1)SU4
  • 14
  • 12.5(1)SU5
  • 14SU1
  • 12.5(1)SU6
  • 14SU2
  • 12.5(1)SU7
  • 14SU3
  • 12.5(1)SU8
  • 14SU3a
  • 12.5(1)SU8a
  • 15
  • 15SU1
  • 14SU4
  • 12.5(1)SU9
  • 15SU2
  • 15SU3
versionPing is an unofficial free service that tracks software releases and notifies you when CVEs and updates are available. Built by an engineer for engineers.ImprintPrivacy Notice