Cisco Intelligence Center Vulnerability Enables Remote File Upload Attacks

Cisco disclosed a critical weakness within the web-based management interface of its Unified Intelligence Center (CUIC) that can be exploited by authenticated remote attackers to upload arbitrary files.

Tracked as CVE-2025-20274 and carrying a CVSS base score of 6.3, the flaw stems from insufficient validation of user-supplied files during the upload process.

Attackers who possess valid credentials with at least the Report Designer role could leverage this vulnerability to deposit malicious content on the system and execute commands at the operating system level, potentially achieving root-level access.

With no available workarounds, organizations using CUIC are urged to apply the provided software updates immediately to mitigate the risk of privilege escalation and system compromise.

The core of the vulnerability lies in CUIC’s failure to properly validate file types and content before accepting uploads through its web-based interface.

Specifically, the interface does not enforce adequate checks on file extensions or inspect internal file metadata to confirm that the content matches its declared type.

Consequently, an attacker can circumvent intended restrictions by supplying a specially crafted payload disguised as a benign report component.

Once stored on the underlying file system, this payload can be invoked through the application or directly executed via system calls, resulting in arbitrary command execution with the privileges of the Cisco service process.

Further compounding the risk is the fact that CUIC is often deployed as an integral component of broader Cisco contact center solutions, including Packaged Contact Center Enterprise and Unified Contact Center Enterprise.

In many environments, these systems operate with elevated privileges to facilitate integration, reporting, and data analytics.

When an attacker exploits the upload vulnerability, they can leverage the compromised process context to navigate beyond the reporting layer, access sensitive configuration files, and potentially manipulate call routing or customer data streams.

The issue is tracked internally under Cisco Bug IDs CSCwn18794 and CSCwn26636 and is categorized under CWE-434, which denotes improper handling of uploaded files.

Cisco Intelligence Center Vulnerability

The vulnerability affects all versions of Cisco Unified Intelligence Center prior to 12.5(1) SU ES05 and 12.6(2) ES05, as well as early releases of Unified Contact Center Express that include CUIC.

Notably, CUIC integrated within Cisco Unified CCX 12.5(1) SU3 and earlier is vulnerable, while releases based on version 15 and higher remain unaffected. Cisco has confirmed that other related products, such as Cisco Finesse, are not impacted by this issue.

Given the prevalence of CUIC in enterprise contact center environments that handle high-volume voice and data traffic, the potential for widespread exploitation is significant.

The advisory emphasizes that successful exploitation could result in full system compromise, as the attacker could first store their payload and then execute arbitrary commands with root-level privileges.

While no public reports or active exploit campaigns have been observed to date, the high-security impact rating underscores the danger of delayed remediation.

Contact center systems often house sensitive customer interactions, call recordings, and personally identifiable information, making them attractive targets for financially motivated threat actors and criminal syndicates seeking to exfiltrate data or disrupt service operations.

Resolution and Recommendations

To address the vulnerability, Cisco has released free software updates for CUIC and Unified CCX. Customers running CUIC version 12.5 should upgrade to 12.5(1) SU ES05 or later, while those on 12.6 should move to 12.6(2) ES05.

Users of Unified CCX 12.5(1) SU3 and earlier must migrate to a fixed release, and all deployments based on version 15 are already secure.

Administrators are advised to verify device memory and compatibility with new releases before installation and to consult the Cisco Technical Assistance Center if they lack active service contracts or require additional guidance.

Since there are no viable workarounds to neutralize the vulnerability, timely application of the patches remains the sole remedy.

Cisco recommends that organizations maintain rigorous patch management practices and continuously monitor security advisories for updates.

By ensuring that CUIC instances run on the fixed software versions, enterprises can prevent unauthorized file uploads and safeguard their contact center infrastructure from potential root-level intrusions.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.