VYPR
← All advisories
Medium severity6.1NVD Advisory· Published Jun 3, 2026

CVE-2026-20175

CVE-2026-20175

Description

Cisco Finesse RFI vulnerability allows unauthenticated attackers to load arbitrary remote files into user sessions, enabling browser-based attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cisco Finesse RFI vulnerability allows unauthenticated attackers to load arbitrary remote files into user sessions, enabling browser-based attacks.

Vulnerability

A vulnerability in Cisco Finesse allows an unauthenticated, remote attacker to load arbitrary files from remote locations into an active user session on an affected device. This is due to insufficient validation of user-supplied input for HTTP requests sent to the device. At the time of publication, this vulnerability affected Cisco Finesse, regardless of device configuration [1].

Exploitation

An attacker with knowledge of the affected device's address could exploit this vulnerability by persuading a user to click a crafted link containing the affected device address. This requires user interaction and knowledge of the target device's address [1].

Impact

A successful exploit could allow the attacker to conduct browser-based attacks, execute arbitrary script code within the context of the affected interface, or access sensitive information on the affected device [1].

Mitigation

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. For information about which Cisco software releases were vulnerable at the time of publication, refer to the Fixed Software section of the advisory [1].

References
  1. Cisco Security Advisory: Cisco Finesse Remote File Inclusion Vulnerability

AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

1