Full Report
Cisco has issued an urgent security advisory detailing two critical vulnerabilities affecting its Unified Contact Center Express (Unified CCX) platform. The flaws, identified as CVE-2025-20354 and CVE-2025-20358, could allow unauthenticated remote attackers to execute arbitrary code, bypass authentication, and potentially gain root-level access to affected systems. The vulnerabilities were disclosed in the advisory cisco-sa-cc-unauth-rce-QeN8h7mQ, published on November 5, 2025, at 16:00 GMT. Cisco has classified both flaws as critical with a CVSS base score of 9.8 and 9.4, respectively. According to the company, no workarounds currently exist, making software updates the only effective remediation. Details of the Vulnerabilities: 2025-20354 and CVE-2025-20358 Cisco confirmed that the issues reside within the Java Remote Method Invocation (RMI) process and CCX Editor components of Unified CCX. Both vulnerabilities are independent, meaning one does not need to be exploited before the other can be used. CVE-2025-20354 is a remote code execution vulnerability stemming from improper authentication mechanisms within certain Unified CCX features. It allows an unauthenticated, remote attacker to upload arbitrary files and execute commands with root privileges. An attacker could exploit this flaw by sending a crafted file through the Java RMI process, effectively taking full control of the underlying operating system. This vulnerability, tracked under Cisco Bug ID CSCwq36528, received a CVSS score of 9.8, placing it among the highest severity levels. Cisco warned that successful exploitation could lead to complete system compromise, including the ability to elevate privileges to root. The second flaw, CVE-2025-20358, affects the CCX Editor application. This authentication bypass vulnerability arises from weaknesses in how the CCX Editor communicates with the Unified CCX server. An attacker could manipulate this process by redirecting authentication to a malicious server, deceiving the system into accepting unauthorized access. If successfully exploited, this vulnerability could enable an attacker to create and execute arbitrary scripts within the affected environment using an internal non-root account. Although this vulnerability is slightly less severe than the RCE flaw, its CVSS score of 9.4 still categorizes it as critical. The issue is documented under Cisco Bug ID CSCwq36573. Impacted Products and Workarounds Cisco stated that all versions of Unified CCX are vulnerable, regardless of device configuration. The company confirmed that its Packaged Contact Center Enterprise (Packaged CCE) and Unified Contact Center Enterprise (Unified CCE) products are not affected by CVE-2025-20354 or CVE-2025-20358. Cisco’s advisory noted that no workarounds or temporary mitigations are available for these vulnerabilities. The company strongly urges all customers to apply the newly released software updates as the only permanent solution. To fully remediate the flaws, Cisco recommends upgrading to fixed releases as follows: Unified CCX 12.5 SU3 ES07 (and earlier versions) Unified CCX 15.0 ES01 The Cisco Product Security Incident Response Team (PSIRT) validated the fixed versions and confirmed that these are the earliest builds containing the necessary patches. No Known Exploitation Yet As of publication, Cisco’s PSIRT reported no evidence of public exploitation or malicious activity related to CVE-2025-20354 or CVE-2025-20358. However, given the critical nature and remote attack vector of these vulnerabilities, security experts warn that exploitation attempts could surface soon after disclosure. Cisco credited security researcher Jahmel Harris for responsibly reporting the issues. The company’s acknowledgment reinforces the importance of coordinated vulnerability disclosure in protecting enterprise environments from high-impact cyber threats.
Analysis Summary
# Vulnerability Summary: Critical RCE and Auth Bypass in Cisco Unified CCX
## CVE Details
- **CVE ID:** CVE-2025-20354
- **CVSS Score:** 9.8 (Critical)
- **CWE:** Insufficient Authentication (Implied by description)
- **CVE ID:** CVE-2025-20358
- **CVSS Score:** 9.4 (Critical)
- **CWE:** Authentication Bypass (Implied by description)
## Affected Systems
- **Products:** Cisco Unified Contact Center Express (Unified CCX)
- **Versions:** All versions of Unified CCX are reported as vulnerable. Specific fixed releases indicate remediation starts at: Unified CCX 12.5 SU3 ES07 and Unified CCX 15.0 ES01.
- **Configurations:** Regardless of device configuration.
- **Unaffected Products:** Packaged Contact Center Enterprise (Packaged CCE) and Unified Contact Center Enterprise (Unified CCE) are *not* affected.
## Vulnerability Description
**CVE-2025-20354 (RCE - CVSS 9.8):** A Remote Code Execution vulnerability residing in the Java Remote Method Invocation (RMI) process. It stems from improper authentication mechanisms. An **unauthenticated, remote attacker** can send a crafted file through the RMI process to execute arbitrary commands with **root privileges**, leading to complete system compromise. (Bug ID: CSCwq36528)
**CVE-2025-20358 (Auth Bypass - CVSS 9.4):** An Authentication Bypass vulnerability affecting the CCX Editor component. Weaknesses in communication allow an attacker to redirect authentication requests to a malicious server. Successful exploitation leads to the attacker creating and executing arbitrary scripts using an **internal non-root account**. (Bug ID: CSCwq36573)
## Exploitation
- **Status:** No evidence of public exploitation reported by Cisco PSIRT as of publication.
- **Complexity:** Implied to be low, as CVE-2025-20354 allows for unauthenticated remote access.
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Root access allows full data exposure).
- **Integrity:** High (Arbitrary code execution/command execution).
- **Availability:** High (Complete system compromise).
## Remediation
### Patches
The only effective remediation is applying provided software updates:
- Upgrade to **Unified CCX 12.5 SU3 ES07** or later.
- Upgrade to **Unified CCX 15.0 ES01** or later.
*(These are confirmed as the earliest builds containing the necessary patches).*
### Workarounds
- **None** currently exist or are available. Software updates are mandatory.
## Detection
- **Indicators of compromise:** High levels of file upload activity targeting the Java RMI process, or unusual script executions originating from the CCX Editor components, especially prior to patching. External monitoring for unexpected authentication redirections.
- **Detection methods and tools:** Monitoring network traffic directed towards the RMI ports for unusual data payloads characteristic of file uploads or command injection attempts related to these CVEs.
## References
- **Vendor Advisory (Advisory ID):** cisco-sa-cc-unauth-rce-QeN8h7mQ (Published November 5, 2025)