On the 6th of February 2025, two critical vulnerabilities, CVE-2025-20354 and CVE-2025-20358, were disclosed by Cisco affecting their Unified Contact Center Express (Unified CCX). Researcher Jahmel Harris is credited with reporting these issues to Cisco. These vulnerabilities could allow a remote, unauthenticated attacker to upload arbitrary files, bypass authentication and execute commands in the context of the root user on the underlying operating system on affected Unified CCX servers.

Technical details

The problem comes from weak authentication in two different CCX components.

CVE-2025-20354 targets the Java RMI service. CCX exposes this service to accept remote data, but it does not properly check who is sending it. That means an attacker can upload a specially crafted file and run commands on the underlying operating system. Because the CCX service runs as root, a successful attacker can take full control of the machine.

CVE-2025-20358 targets the CCX Editor, a tool used to build and push workflow scripts. The Editor trusts the server during its login exchange, and this trust can be abused. An attacker can redirect that login step to a fake server and trick the Editor into thinking it has authenticated. Once exploited, the Editor will accept and run scripts supplied by the attacker, usually under an internal non root service account.

Both flaws can be triggered remotely with no credentials and no user interaction. In short, an attacker can remotely seize the CCX application and, because of how CCX ties into call handling and identity systems, cause widespread disruption.

Impact summary

A remote, unauthenticated attacker can gain administrative control of Cisco Unified CCX by abusing the RMI service or CCX Editor communication channel. Successful exploitation could provide root access, permit arbitrary command execution, and facilitate lateral movement into adjacent network systems. For organisations where Unified CCX is deployed within call handling infrastructure, compromise of this system could result in full operational control of the call centre platform.

Mitigating the vulnerability

Cisco has released software updates to fully address these issues. Organisations running Unified CCX should apply the relevant updates immediately. Customers can refer to the Cisco Security Advisory for detailed information about the patches released to address these vulnerabilities.

Fixed releases

Affected release – Unified CCX 12.5 SU3 and earlier

First fixed release – 12.5 SU3 ES07

Affected release – Unified CCX 15.0

First fixed release – 15.0 ES01

If you are unable to apply the update immediately, no effective workarounds are available. Temporary measures such as network segmentation and strict firewall rules may reduce exposure, but these are not substitutes for patching.

How can Sentrium help?

Sentrium offer vulnerability assessment and network penetration testing services that can support you in identifying vulnerable Windows Server systems across your environments. Start your assessment today by completing our pentest scoping form or get in touch with our team to find out more about our penetration testing services.