Severity
High
Analysis Summary
A critical security advisory has been issued for Cisco Unified Contact Center Express (Unified CCX), addressing two severe vulnerabilities that could allow unauthenticated remote attackers to execute arbitrary commands and gain full system control. The flaws were disclosed on November 5, 2025, with an advisory update on November 13, 2025. Both vulnerabilities are located in the Java Remote Method Invocation (RMI) process and the CCX Editor application, affecting versions 12.5 SU3 and earlier, as well as 15.0. Notably, Cisco Unified Contact Center Enterprise (Unified CCE) and Packaged Contact Center Enterprise (Packaged CCE) are not affected.
The first vulnerability, CVE-2025-20354, is related to Java RMI and carries a CVSS score of high. It allows attackers to upload malicious files and execute arbitrary commands with root privileges due to improper authentication mechanisms in certain Unified CCX features. Exploitation involves sending crafted files via Java RMI without any authentication, potentially giving attackers complete system control. This represents a critical security risk for organizations using affected versions.
The second flaw, CVE-2025-20358, is found in the CCX Editor and has a CVSS score of high. This vulnerability enables attackers to bypass authentication, gain administrative permissions, and execute arbitrary scripts on the underlying system. Attackers can manipulate the authentication flow, redirecting it to malicious servers, tricking the CCX Editor into accepting unauthorized access. Like the first flaw, there are no available workarounds, making patching essential.
Cisco has released fixed software versions to address these vulnerabilities: 12.5 SU3 ES07 for the 12.5 branch and 15.0 ES01 for version 15.0. Organizations are strongly advised to upgrade immediately to mitigate the risk of remote code execution attacks. The vulnerabilities were reported by security researcher of NATO Cyber Security Centre (NCSC). As of now, Cisco is not aware of any public exploits or active attacks leveraging these flaws. Prioritizing timely updates and vulnerability scanning is critical for protecting Unified CCX deployments.
Impact
- Code Execution
- Security Bypass
- Gain Access
Indicators of Compromise
CVE
CVE-2025-20354
CVE-2025-20358
Affected Vendors
Remediation
- Upgrade Cisco Unified CCX to version 12.5 SU3 ES07 or 15.0 ES01 immediately.
- Apply all available security patches for affected Unified CCX versions.
- Verify that all CCX deployments are running patched software and no vulnerable versions remain.
- Restrict access to Java RMI services to trusted internal networks only.
- Monitor system logs for any suspicious file uploads or unauthorized script execution attempts.
- Conduct regular vulnerability scans on Unified CCX servers to ensure no new issues exist.
- Review and enforce strong authentication policies for CCX Editor and related components.
- Limit administrative privileges to necessary personnel and regularly audit access controls.
- Maintain regular backups of critical systems before applying updates or patches.
- Stay updated on Cisco security advisories for any new information or follow-up patches.