unify CVE Vulnerabilities & Metrics

Focus on unify vulnerabilities and metrics.

Last updated: 16 Jan 2026, 23:25 UTC

About unify Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with unify. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total unify CVEs: 11
Earliest CVE date: 08 Jun 2000, 04:00 UTC
Latest CVE date: 08 Feb 2024, 23:15 UTC

Latest CVE reference: CVE-2023-40264

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 0

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): -100.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): -100.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical unify CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 3.74

Max CVSS: 10.0

Critical CVEs (≥9): 1

CVSS Range vs. Count

Range	Count
0.0-3.9	6
4.0-6.9	6
7.0-8.9	2
9.0-10.0	1

CVSS Distribution Chart

Top 5 Highest CVSS unify CVEs

These are the five CVEs with the highest CVSS scores for unify, sorted by severity first and recency.

CVE-2000-1024 unify Published on 11 Dec 2000, 05:00 UTC (CVSS: 10.0)
eWave ServletExec 3.0C and earlier does not restrict access to the UploadServlet Java/JSP servlet, which allows remote attackers to upload files and execute arbitrary commands.
CVE-2014-8421 unify Published on 12 Apr 2018, 21:29 UTC (CVSS: 8.5)
Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0 allow remote attackers to gain super-user privileges by leveraging SSH access and incorrect ownership of (1) ConfigureCoreFile.sh, (2) Traceroute.sh, (3) apps.sh, (4) conversion_java2native.sh, (5) coreCompression.sh, (6) deletePasswd.sh, (7) findHealthSvcFDs.sh, (8) fw_printenv.sh, (9) fw_setenv.sh, (10)...
CVE-2014-2652 unify Published on 19 Mar 2018, 21:29 UTC (CVSS: 7.5)
SQL injection vulnerability in OpenScape Deployment Service (DLS) before 6.x and 7.x before R1.11.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2014-8422 unify Published on 12 Apr 2018, 21:29 UTC (CVSS: 6.8)
The web-based management (WBM) interface in Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0 generates session cookies with insufficient entropy, which makes it easier for remote attackers to hijack sessions via a brute-force attack.
CVE-2000-1114 unify Published on 09 Jan 2001, 05:00 UTC (CVSS: 5.0)
Unify ServletExec AS v3.0C allows remote attackers to read source code for JSP pages via an HTTP request that ends with characters such as ".", or "+", or "%20".

All CVEs for unify

CVE-2023-40264 unify vulnerability CVSS: 0 08 Feb 2024, 23:15 UTC

An issue was discovered in Atos Unify OpenScape Voice Trace Manager V8 before V8 R0.9.11. It allows authenticated path traversal in the user interface.

CVE-2023-40263 unify vulnerability CVSS: 0 08 Feb 2024, 23:15 UTC

An issue was discovered in Atos Unify OpenScape Voice Trace Manager V8 before V8 R0.9.11. It allows authenticated command injection via ftp.

CVE-2023-40262 unify vulnerability CVSS: 0 08 Feb 2024, 23:15 UTC

An issue was discovered in Atos Unify OpenScape Voice Trace Manager V8 before V8 R0.9.11. It allows unauthenticated Stored Cross-Site Scripting (XSS) in the administration component via Access Request.

CVE-2023-48166 unify vulnerability CVSS: 0 12 Jan 2024, 23:15 UTC

A directory traversal vulnerability in the SOAP Server integrated in Atos Unify OpenScape Voice V10 before V10R3.26.1 allows a remote attacker to view the contents of arbitrary files in the local file system. An unauthenticated attacker might obtain sensitive files that allow for the compromise of the underlying system.

CVE-2023-36619 unify vulnerability CVSS: 0 04 Oct 2023, 21:15 UTC

Atos Unify OpenScape Session Border Controller through V10 R3.01.03 allows execution of administrative scripts by unauthenticated users.

CVE-2023-36618 unify vulnerability CVSS: 0 04 Oct 2023, 21:15 UTC

Atos Unify OpenScape Session Border Controller through V10 R3.01.03 allows execution of OS commands as root user by low-privileged authenticated users.

CVE-2014-9563 unify vulnerability CVSS: 4.0 12 Apr 2018, 21:29 UTC

CRLF injection vulnerability in the web-based management (WBM) interface in Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0 allows remote authenticated users to modify the root password and consequently access the debug port using the serial interface via the ssh-password parameter to page.cmd.

CVE-2014-8422 unify vulnerability CVSS: 6.8 12 Apr 2018, 21:29 UTC

The web-based management (WBM) interface in Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0 generates session cookies with insufficient entropy, which makes it easier for remote attackers to hijack sessions via a brute-force attack.

CVE-2014-8421 unify vulnerability CVSS: 8.5 12 Apr 2018, 21:29 UTC

Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0 allow remote attackers to gain super-user privileges by leveraging SSH access and incorrect ownership of (1) ConfigureCoreFile.sh, (2) Traceroute.sh, (3) apps.sh, (4) conversion_java2native.sh, (5) coreCompression.sh, (6) deletePasswd.sh, (7) findHealthSvcFDs.sh, (8) fw_printenv.sh, (9) fw_setenv.sh, (10) hw_wd_kicker.sh, (11) new_rootfs.sh, (12) opera_killSnmpd.sh, (13) opera_startSnmpd.sh, (14) rebootOperaSoftware.sh, (15) removeLogFiles.sh, (16) runOperaServices.sh, (17) setPasswd.sh, (18) startAccTestSvcs.sh, (19) usbNotification.sh, or (20) appWeb in /Opera_Deploy.

CVE-2014-2652 unify vulnerability CVSS: 7.5 19 Mar 2018, 21:29 UTC

SQL injection vulnerability in OpenScape Deployment Service (DLS) before 6.x and 7.x before R1.11.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2015-8251 unify vulnerability CVSS: 4.3 25 Sep 2017, 21:29 UTC

OpenStage 60 and OpenScape Desk Phone IP 55G SIP V3, OpenStage 15, 20E, 20 and 40 and OpenScape Desk Phone IP 35G SIP V3, OpenScape Desk Phone IP 35G Eco SIP V3, OpenStage 60 and OpenScape Desk Phone IP 55G HFA V3, OpenStage 15, 20E, 20, and 40 and OpenScape Desk Phone IP 35G HFA V3, and OpenScape Desk Phone IP 35G Eco HFA V3 use non-unique X.509 certificates and SSH host keys.

CVE-2000-1114 unify vulnerability CVSS: 5.0 09 Jan 2001, 05:00 UTC

Unify ServletExec AS v3.0C allows remote attackers to read source code for JSP pages via an HTTP request that ends with characters such as ".", or "+", or "%20".

CVE-2000-1024 unify vulnerability CVSS: 10.0 11 Dec 2000, 05:00 UTC

eWave ServletExec 3.0C and earlier does not restrict access to the UploadServlet Java/JSP servlet, which allows remote attackers to upload files and execute arbitrary commands.

CVE-2000-1025 unify vulnerability CVSS: 5.0 11 Dec 2000, 05:00 UTC

eWave ServletExec JSP/Java servlet engine, versions 3.0C and earlier, allows remote attackers to cause a denial of service via a URL that contains the "/servlet/" string, which invokes the ServletExec servlet and causes an exception if the servlet is already running.

CVE-2000-0498 unify vulnerability CVSS: 5.0 08 Jun 2000, 04:00 UTC

Unify eWave ServletExec allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case.