Multiple Cisco Unified Contact Center Express Flaws Enable Remote Code Execution

Cisco has disclosed critical remote code execution vulnerabilities affecting its Unified Contact Center Express (CCX) platform, allowing unauthenticated attackers to execute arbitrary commands with elevated privileges on vulnerable systems.

The vulnerabilities, published on November 5, 2025, impact the Java Remote Method Invocation process and pose a severe risk to organizations relying on Cisco’s contact center infrastructure.

The two critical vulnerabilities enable attackers to bypass authentication mechanisms and upload malicious files without requiring valid credentials.

Organizations using Cisco Unified CCX should prioritize deploying available security updates immediately, as no workarounds exist to mitigate the risks.

The vulnerabilities represent a significant threat to enterprise communication systems and customer service operations.

Unauthenticated File Upload and Code Execution

CVE-2025-20354 represents the most severe vulnerability, allowing remote attackers to upload crafted files through the Java RMI process and execute arbitrary commands with root-level privileges.

The vulnerability stems from improper authentication mechanisms associated with specific Cisco Unified CCX features.

An attacker exploiting this flaw could gain complete control over the affected system, accessing sensitive customer data and disrupting critical business operations.

The vulnerability requires no user interaction and can be exploited from the network without prior authentication.

This makes it particularly dangerous for organizations with internet-facing Cisco Unified CCX deployments.

Attackers could leverage this vulnerability to establish persistent backdoors, steal customer information, or launch attacks against interconnected systems.

CVE-2025-20358 allows attackers to bypass authentication in the Contact Center Express Editor application, obtaining administrative permissions without valid credentials.

The vulnerability exploits improper authentication mechanisms in communication between the CCX Editor and the Unified CCX server.

Attackers could redirect the authentication flow to a malicious server, tricking the editor into believing authentication succeeded.

This vulnerability enables attackers to create and execute arbitrary scripts within the Unified CCX environment.

While scripts execute with internal non-root user account privileges rather than root, the ability to create and run custom scripts still provides significant capabilities for attackers to manipulate system behavior, exfiltrate data, or establish persistence.

Cisco released software updates addressing both vulnerabilities with no workarounds available.

Organizations must upgrade immediately to patched releases: version 12.5 SU3 ES07 for the 12.5 branch or version 15.0 ES01 for the 15.0 release.

The company emphasizes that complete remediation requires upgrading to fixed software releases rather than relying on temporary mitigations.

Administrators should verify their current Cisco Unified CCX version against the fixed releases table and schedule updates outside business-critical hours.

The absence of workarounds makes immediate patching essential for maintaining security posture and preventing potential exploitation by threat actors.

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today