Cisco has issued an urgent security advisory detailing two critical vulnerabilities affecting its Unified Contact Center Express (Unified CCX) platform. The flaws, identified as CVE-2025-20354 and CVE-2025-20358, could allow unauthenticated remote attackers to execute arbitrary code, bypass authentication, and potentially gain root-level access to affected systems.
The vulnerabilities were disclosed in the advisory cisco-sa-cc-unauth-rce-QeN8h7mQ, published on November 5, 2025, at 16:00 GMT. Cisco has classified both flaws as critical with a CVSS base score of 9.8 and 9.4, respectively. According to the company, no workarounds currently exist, making software updates the only effective remediation.
Details of the Vulnerabilities: 2025-20354 and CVE-2025-20358
Cisco confirmed that the issues reside within the Java Remote Method Invocation (RMI) process and CCX Editor components of Unified CCX. Both vulnerabilities are independent, meaning one does not need to be exploited before the other can be used.
CVE-2025-20354 is a remote code execution vulnerability stemming from improper authentication mechanisms within certain Unified CCX features. It allows an unauthenticated, remote attacker to upload arbitrary files and execute commands with root privileges. An attacker could exploit this flaw by sending a crafted file through the Java RMI process, effectively taking full control of the underlying operating system.
This vulnerability, tracked under Cisco Bug ID CSCwq36528, received a CVSS score of 9.8, placing it among the highest severity levels. Cisco warned that successful exploitation could lead to complete system compromise, including the ability to elevate privileges to root.
The second flaw, CVE-2025-20358, affects the CCX Editor application. This authentication bypass vulnerability arises from weaknesses in how the CCX Editor communicates with the Unified CCX server. An attacker could manipulate this process by redirecting authentication to a malicious server, deceiving the system into accepting unauthorized access.
If successfully exploited, this vulnerability could enable an attacker to create and execute arbitrary scripts within the affected environment using an internal non-root account. Although this vulnerability is slightly less severe than the RCE flaw, its CVSS score of 9.4 still categorizes it as critical. The issue is documented under Cisco Bug ID CSCwq36573.
Impacted Products and Workarounds
Cisco stated that all versions of Unified CCX are vulnerable, regardless of device configuration. The company confirmed that its Packaged Contact Center Enterprise (Packaged CCE) and Unified Contact Center Enterprise (Unified CCE) products are not affected by CVE-2025-20354 or CVE-2025-20358.
Cisco’s advisory noted that no workarounds or temporary mitigations are available for these vulnerabilities. The company strongly urges all customers to apply the newly released software updates as the only permanent solution.
To fully remediate the flaws, Cisco recommends upgrading to fixed releases as follows:
- Unified CCX 12.5 SU3 ES07 (and earlier versions)
- Unified CCX 15.0 ES01
The Cisco Product Security Incident Response Team (PSIRT) validated the fixed versions and confirmed that these are the earliest builds containing the necessary patches.
No Known Exploitation Yet
As of publication, Cisco’s PSIRT reported no evidence of public exploitation or malicious activity related to CVE-2025-20354 or CVE-2025-20358.
However, given the critical nature and remote attack vector of these vulnerabilities, security experts warn that exploitation attempts could surface soon after disclosure.
Cisco credited security researcher Jahmel Harris for responsibly reporting the issues. The company’s acknowledgment reinforces the importance of coordinated vulnerability disclosure in protecting enterprise environments from high-impact cyber threats.
