Cisco has issued a critical security advisory warning of multiple vulnerabilities in its Unified Contact Center Express (Unified CCX) software that could enable unauthenticated remote attackers to execute arbitrary code and escalate privileges.
Published on November 5, 2025, the advisory highlights two high-severity flaws affecting the Java Remote Method Invocation (RMI) process and the CCX Editor application.
These issues, rated critical with CVSS scores of 9.8 and 9.4, pose significant risks to organizations relying on Unified CCX for customer interaction management, potentially leading to full system compromise without user interaction.
The vulnerabilities stem from improper authentication mechanisms, allowing attackers to upload malicious files, bypass login controls, and run commands with elevated permissions.
CVE-2025-20354 targets the RMI process, enabling file uploads that result in root-level command execution.
Meanwhile, CVE-2025-20358 exploits the CCX Editor by redirecting authentication to a malicious server, granting administrative access to script creation and execution as a non-root user.
Exploitation does not require prior access or specific configurations, making these flaws particularly dangerous for internet-exposed systems. Cisco emphasizes that the issues are independent, so patching both is essential.
| CVE ID | Description | CVSS Score | Vector | Affected Components | Impact |
|---|---|---|---|---|---|
| CVE-2025-20354 | Remote Code Execution via RMI file upload | 9.8 (Critical) | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Java RMI process in Unified CCX | Arbitrary command execution with root privileges; full system compromise |
| CVE-2025-20358 | Authentication Bypass in CCX Editor | 9.4 (Critical) | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L | CCX Editor application communication | Unauthorized script creation/execution; potential escalation to higher privileges |
Affected Versions and Remediation Steps
All versions of Cisco Unified CCX are vulnerable, regardless of configuration, including releases 12.5 SU3 and earlier, as well as 15.0.
Products like Packaged Contact Center Enterprise and Unified Contact Center Enterprise remain unaffected.
Cisco has confirmed no public exploitation or announcements at this time, crediting security researcher Jahmel Harris for disclosure.
To mitigate, organizations must upgrade immediately to fixed releases: 12.5 SU3 ES07 for older branches and 15.0 ES01 for the latest.
No workarounds exist, underscoring the urgency for air-gapped or segmented deployments where possible.
Administrators should monitor RMI ports and editor communications closely during the patching window.
Failure to act could expose sensitive call center data and infrastructure to ransomware or data exfiltration attacks, amplifying operational disruptions in high-stakes environments.
As threat actors increasingly target enterprise communication tools, this incident highlights the need for robust vulnerability management in contact center solutions.
Cisco urges customers to consult the advisory for precise upgrade paths and contact support if needed.
 software){kind=link}