Multiple Cisco Unified CCX Flaws Allow Attackers to Execute Arbitrary Commands

Cisco has disclosed critical remote code execution vulnerabilities affecting Cisco Unified Contact Center Express (CCX), exposing organizations to severe security risks.

The advisory details two independent vulnerabilities in the Java Remote Method Invocation (RMI) process that could allow unauthenticated attackers to gain complete system control, including root-level privileges.

The Threat Landscape

The vulnerabilities represent a significant threat to contact center operations worldwide. Attackers can exploit these flaws without authentication or user interaction, making them particularly dangerous in real-world scenarios.

The Java RMI process in Cisco Unified CCX, which handles critical communication functions, contains improper authentication mechanisms that create multiple attack vectors.

The first vulnerability enables attackers to upload arbitrary files and execute commands with root permissions on affected systems.

The second vulnerability allows attackers to bypass authentication mechanisms in the CCX Editor application, tricking the editor into believing they have legitimate access.

Once authenticated, attackers can create and execute arbitrary scripts with administrative privileges.

Both vulnerabilities carry a CVSS base score of 9.8 and 9.4, respectively, indicating critical severity levels.

The attack vector is network-based, requires no special privileges, and demands no user interaction—a dangerous combination that elevates the urgency for immediate patching.

CVE-2025-20354 specifically targets the file upload functionality within the Java RMI process. By uploading specially crafted files, attackers can execute arbitrary commands on the underlying operating system with root-level access, potentially compromising the entire contact center infrastructure.

CVE-2025-20358, meanwhile, focuses on authentication bypass in the CCX Editor application.

Attackers can redirect the authentication flow to malicious servers, creating the illusion of successful authentication and granting them administrative permissions to create and execute scripts.

Cisco Unified CCX versions 12.5 SU3 and earlier, as well as version 15.0 and earlier, require immediate attention.

The company has released fixed software versions: 12.5 SU3 ES07 for legacy deployments and 15.0 ES01 for newer installations.

Cisco confirmed that Unified Contact Center Enterprise (Unified CCE) and Packaged Contact Center Enterprise (Packaged CCE) are not affected by these vulnerabilities, providing some relief for organizations using enterprise-grade solutions.

No workarounds exist to mitigate these vulnerabilities; patching is the only solution. Organizations operating vulnerable versions of Cisco Unified CCX should prioritize upgrading to fixed releases immediately.

Given the critical nature of contact center systems and the potential for complete compromise through these vulnerabilities, swift remediation should take precedence in security roadmaps.

CVE ID	Vulnerability Type	CVSS Score	Bug ID	Impact
CVE-2025-20354	Remote Code Execution via File Upload	9.8	CSCwq36528	Root-level arbitrary command execution
CVE-2025-20358	Authentication Bypass in CCX Editor	9.4	CSCwq36573	Administrative script creation and execution

Organizations should review their Cisco Unified CCX deployments immediately and apply patches without delay to prevent potential compromise of critical contact center infrastructure.

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates

The post Multiple Cisco Unified CCX Flaws Allow Attackers to Execute Arbitrary Commands appeared first on Cyber Security News.