CVE-2026-20175: Cisco Finesse Remote File Injection via Client-Side Request Validation Bypass
A remote attacker can trick a user into clicking a malicious link that causes their browser to load files from an attacker-controlled location while interacting with Cisco Finesse. Because the application doesn't properly validate where those files come from, an attacker can inject malicious scripts or steal sensitive information visible in the user's active session—all without needing to authenticate first.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-73
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
A vulnerability in Cisco Finesse could allow an unauthenticated, remote attacker to load arbitrary files from remote locations into an active user session on an affected device, possibly leading to browser-based attacks. This vulnerability is due to insufficient validation of user-supplied input for HTTP requests that are sent to an affected device. An attacker who has knowledge of the address of the affected device could exploit this vulnerability by persuading a user to click a crafted link that contains the affected device address. A successful exploit could allow the attacker to conduct browser-based attacks and execute arbitrary script code in the context of the affected interface or access sensitive information on the affected device.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-20175 is a client-side request injection vulnerability in Cisco Finesse stemming from insufficient input validation (CWE-73) on HTTP requests. An unauthenticated attacker can craft a URL containing the target device address and socially engineer an active user into clicking it. The crafted request causes the user's browser to fetch and execute arbitrary resources from remote locations within the security context of the affected device. The vulnerability enables both malicious script execution and information disclosure attacks against authenticated users viewing the Finesse interface.
Business impact
This vulnerability bridges the gap between unauthenticated network access and authenticated session compromise. While an attacker cannot directly access Finesse without credentials, they can weaponize legitimate users' active sessions to exfiltrate customer data, call records, agent credentials, or configuration details handled by Finesse. For contact centers relying on Finesse for workforce management and CRM integration, a successful exploit could disrupt operations, compromise PII handled by agents, and trigger compliance violations depending on data exposure scope.
Affected systems
Cisco Finesse deployments are in scope. The vendor product information was not specified in available advisories at time of publication. Verify your specific Finesse versions, deployments (on-premises or cloud), and patch status against Cisco's official security advisory.
Exploitability
Exploitation requires user interaction—an attacker must convince a target user to click a crafted link. The attack vector is network-based and requires no privileges, making it practical for targeted phishing campaigns against contact center staff. Once clicked, the browser automatically processes the malicious request, lowering the technical barrier. No special tools or deep system knowledge is required from the attacker's perspective, though social engineering must succeed.
Remediation
Apply security patches from Cisco as soon as they are available. Monitor Cisco's security advisories for CVE-2026-20175 for specific affected versions and patch release dates. In the interim, implement user awareness training to reduce the likelihood of users clicking suspicious links, especially those referencing internal device addresses. Consider network segmentation to limit lateral movement if a user's session is compromised.
Patch guidance
Consult Cisco's official security advisory for CVE-2026-20175 to identify which Finesse versions are affected and the corresponding patch versions. Apply patches during a maintenance window after testing in a non-production environment. Given that this vulnerability requires user interaction, patching should be prioritized but is not an emergency if compensating controls are in place.
Detection guidance
Monitor web server logs and proxy logs for unusual HTTP requests to Finesse that contain foreign hostnames or IP addresses in parameters or referrer headers. Watch for users reporting unexpected browser behavior or script warnings when accessing Finesse. Endpoint detection tools should flag anomalous script execution originating from the Finesse domain. Correlate user click data from email security gateways with subsequent Finesse access anomalies.
Why prioritize this
While the CVSS 3.1 score of 6.1 (MEDIUM) reflects the requirement for user interaction, this vulnerability is practically significant because it affects an active user's authenticated session without requiring the attacker to bypass Finesse's access controls. Contact centers are high-value targets for social engineering, making the user-interaction barrier realistic rather than protective. The combination of unauthenticated network access, session compromise, and information disclosure justifies prioritization ahead of pure network-based attacks, though below critical vulnerabilities affecting core infrastructure.
Risk score, explained
The CVSS 3.1 score of 6.1 reflects a MEDIUM severity due to several factors: the attack requires no privileges (PR:N) and network accessibility (AV:N), but mandates user interaction (UI:R). The impact scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component itself. Confidentiality and integrity are both low impact (C:L, I:L), while availability is unaffected (A:N). The moderate score appropriately captures a vulnerability that is network-exposed and user-exploitable but stops short of full system compromise or availability disruption.
Frequently asked questions
Does an attacker need Finesse credentials to exploit this?
No. The vulnerability is unauthenticated, meaning an attacker does not need valid Finesse login credentials. However, the attack requires that a legitimate Finesse user (who is already authenticated) clicks the attacker's malicious link. The exploit then executes within the context of that user's session.
What types of data could an attacker access?
An attacker could access any data visible to or transmitted by the compromised user's browser session, including agent information, customer call records, PII displayed in CRM integrations, call histories, and potentially credentials stored in browser memory or cookies. The exact exposure depends on what information the user had access to and what the attacker's injected script is designed to steal.
Is this vulnerability on the CISA KEV list?
No, this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities catalog. However, the absence of KEV status does not indicate the vulnerability is low-risk—it means no active, in-the-wild exploitation has been confirmed and reported to CISA at the time of publication.
How can we reduce risk without patching immediately?
Implement targeted user awareness training emphasizing scrutiny of unexpected links, especially those containing IP addresses or internal device names. Use email security controls to flag suspicious URLs. Implement browser security policies to restrict automatic execution of scripts from unexpected domains. Monitor session activity for anomalous behavior and consider restricting Finesse access to corporate networks only.
This analysis is based on vulnerability data as of June 2026 and vendor advisories available at that time. Security severity and exploitability assessments may change as additional technical details emerge, patches are released, or active exploitation is discovered. Organizations should verify all patch availability, affected product versions, and deployment-specific risk against official Cisco security advisories and their own asset inventory. This content is provided for informational purposes to support security decision-making and does not constitute legal advice or a substitute for professional security assessment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10558MEDIUMSourceCodester Pizzafy 1.0 File Inclusion Vulnerability – Admin RCE Risk
- CVE-2026-10559MEDIUMFile Inclusion in SourceCodester Pizzafy Ecommerce System 1.0
- CVE-2026-41412MEDIUMalf.io Extension Sandbox File Read Vulnerability
- CVE-2026-10694HIGHRemote File Inclusion in SourceCodester Online Food Ordering System 2.0
- CVE-2026-35076HIGHMBS Solutions Gateway Arbitrary File Deletion Vulnerability
- CVE-2026-35077HIGHMBS Solutions Gateway Arbitrary File Deletion Vulnerability (CVSS 8.1)
- CVE-2026-35078HIGHArbitrary File Deletion in MBS Solutions Gateway Firmware
- CVE-2026-35079HIGHMBS Solutions Gateway File Deletion Vulnerability (CVSS 8.1)