Cisco has disclosed critical security vulnerabilities affecting Cisco Unified Contact Center Express (Unified CCX) that could enable unauthenticated, remote attackers to execute arbitrary commands, escalate privileges to root, and bypass authentication mechanisms.
The vulnerabilities reside in the Java Remote Method Invocation (RMI) process and CCX Editor application, presenting severe risks to enterprise contact center deployments.
Two critical vulnerabilities have been identified in Cisco Unified CCX systems. The first vulnerability, CVE-2025-20354, is a Remote Code Execution vulnerability in the Java RMI process with a CVSS Base Score of 9.8.
This vulnerability allows unauthenticated attackers to upload arbitrary files through the Java RMI process by exploiting improper authentication mechanisms.
Successful exploitation enables attackers to execute arbitrary commands on the underlying operating system and elevate privileges to root, providing complete system compromise capabilities.
The second vulnerability, CVE-2025-20358, is an authentication bypass vulnerability in the CCX Editor application with a CVSS Base Score of 9.4.
This vulnerability allows attackers to bypass authentication and obtain administrative permissions related to script creation and execution.
The vulnerability stems from improper authentication mechanisms in communications between the CCX Editor and affected Unified CCX servers.
Attackers can exploit this by redirecting the authentication flow to a malicious server, tricking the CCX Editor into recognizing fraudulent authentication. Successful exploitation permits attackers to create and execute arbitrary scripts on the affected system as an internal non-root user account.
Scope of Impact
The vulnerabilities affect Cisco Unified CCX systems regardless of device configuration. Cisco has confirmed that Packaged Contact Center Enterprise (Packaged CCE) and Unified Contact Center Enterprise (Unified CCE) are not vulnerable to these issues.
Both vulnerabilities are independent of one another, meaning attackers do not need to chain exploits to gain access.
Cisco has released software updates addressing both vulnerabilities, with no workarounds available. Organizations should prioritize upgrading to patched versions immediately.
For Unified CCX release 12.5, affected systems should upgrade to version 12.5 SU3 ES07 or later. For Unified CCX release 15.0, the fix is available in version 15.0 ES01 and subsequent releases.
Given the critical nature of these vulnerabilities and the complete absence of workarounds, Cisco strongly recommends immediate patching of all affected systems.
Systems running versions earlier than 12.5 SU3 or 15.0 should be considered compromised risks in their current state.
As of now, Cisco’s Product Security Incident Response Team (PSIRT) reports no evidence of public announcements or active malicious exploitation of these vulnerabilities.
However, the ease of exploitation (requiring only network access and no authentication), combined with the severe consequences (remote code execution as root), suggests these vulnerabilities will likely attract threat actor attention once patch adoption timelines extend.
Organizations operating Cisco Unified CCX should immediately verify their current software versions against the vulnerability details and apply appropriate patches.
System administrators should prioritize patching systems facing internet exposure. Additionally, network segmentation and access controls limiting RMI communications to trusted networks provide temporary defensive measures until patches are deployed.
Given the critical CVSS scores and the complete compromise potential these vulnerabilities present, urgent action is warranted across all affected deployments.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.