A critical security advisory addressing multiple severe vulnerabilities in Cisco Unified Contact Center Express (Unified CCX).
That could allow unauthenticated remote attackers to execute arbitrary commands and compromise affected systems.
The vulnerabilities were disclosed on November 5, 2025, with the advisory updated on November 13, 2025. Two distinct vulnerabilities have been identified in the Java Remote Method Invocation (RMI) process of Unified CCX.
| CVE ID | Affected Component | CVSS | Impact |
|---|---|---|---|
| CVE-2025-20354 | Cisco Unified CCX (Java RMI) | 9.8 | Allows unauthenticated attackers to upload files and run commands as root |
| CVE-2025-20358 | Cisco Unified CCX Editor | 9.4 | Let attackers bypass login and gain admin access for script execution |
The first vulnerability, tracked as CVE-2025-20354, enables attackers to upload malicious files and execute arbitrary commands with root privileges on affected systems.
This flaw stems from improper authentication mechanisms associated with specific Unified CCX features.
Attackers can exploit the vulnerability by uploading crafted files via Java RMI without authentication, gaining complete system control.
The second vulnerability, CVE-2025-20358, exists in the CCX Editor application and allows attackers to bypass authentication to obtain administrative permissions for script creation and execution.
Attackers can redirect the authentication flow to malicious servers, tricking the CCX Editor into believing authentication was successful.
This enables them to create and execute arbitrary scripts on the underlying operating system. Both vulnerabilities carry a Critical security impact rating. CVE-2025-20354 has a CVSS score of 9.8.
While CVE-2025-20358 carries a CVSS score of 9.4, no workarounds are available for either vulnerability.
Impact and Affected Versions
The vulnerabilities affect Cisco Unified CCX regardless of device configuration.
Cisco Unified Contact Center Enterprise (Unified CCE) and Packaged Contact Center Enterprise (Packaged CCE) are not affected.
Vulnerable versions include Cisco Unified CCX 12.5 SU3 and earlier, as well as version 15.0. Cisco has released fixed software addressing these issues: version 12.5 SU3 ES07 for the 12.5 branch and version 15.0 ES01 for the 15.0 branch.
Cisco strongly recommends upgrading to the latest patched versions of software. Organizations should prioritize updating Unified CCX deployments to mitigate the risk of remote code execution attacks.
The vulnerabilities were reported by security researcher Jahmel Harris of NATO Cyber Security Centre (NCSC). Currently, Cisco is not aware of any public exploits or active malicious use of these vulnerabilities in the wild.
AI-Powered ISO 27001, SOC 2, NIST, NIS 2, and GDPR Compliance Checklist => Start for Free
