Cisco has disclosed two critical vulnerabilities affecting its Unified Contact Center Express (CCX) platform that could allow unauthenticated remote attackers to execute malicious code and gain elevated privileges.
The flaws present risks to organizations relying on CCX for customer support and call center operations.
Critical Remote Code Execution and Authentication Bypass
CVE-2025-20354
The first vulnerability, CVE-2025-20354, carries a CVSS severity score of 9.8, and is a critical remote code execution (RCE) flaw.
It resides in the Java Remote Method Invocation (RMI) process used by Unified CCX.
Improper authentication validation allows attackers to upload arbitrary files through the RMI service without any authentication.
Once exploited, this flaw enables attackers to execute system commands with root privileges, giving them complete control over the affected server.
This level of access could allow adversaries to install backdoors, steal sensitive customer data, or deploy ransomware across contact center networks.
Cisco confirmed that the root cause lies in flawed authentication mechanisms that fail to properly verify user identities during remote interactions.
By exploiting this gap, attackers can bypass security checks and directly interface with privileged processes.
CVE-2025-20358
The second flaw, CVE-2025-20358, carries a CVSS score of 9.4 and targets the Cisco Unified CCX Editor application.
This vulnerability allows attackers to perform an authentication bypass by redirecting the login flow to a malicious server.
When successful, the CCX Editor falsely recognizes the attacker’s server as legitimate, granting administrative access.
Once inside, attackers can create, modify, or execute arbitrary scripts as internal non-root users.
This exploit effectively allows malicious actors to manipulate call-handling workflows, inject custom scripts, or disrupt contact center operations.
Together, the two vulnerabilities form a powerful attack chain — one that begins with unauthenticated access and ends with persistent administrative control.
This sequence enables attackers to escalate privileges, execute code remotely, and maintain long-term presence within the target environment.
Affected Versions
According to Cisco’s advisory, both vulnerabilities affect all Unified CCX configurations, regardless of deployment settings or scale.
That includes on-premises and hybrid installations. However, other Cisco products, such as Unified Contact Center Enterprise (CCE) and Packaged Contact Center Enterprise (PCCE), remain unaffected.
Organizations using Unified CCX version 12.5 SU3 and earlier must upgrade immediately to version 12.5 SU3 ES07.
Those running version 15.0 should install version 15.0 ES01. Cisco has released patches addressing both vulnerabilities and confirmed that no workarounds are available.
Failure to apply these updates leaves systems open to complete compromise, as attackers could exploit these flaws to seize control of customer service operations, intercept customer communications, or deploy additional payloads throughout an enterprise network.
Broader Implications
The CCX vulnerabilities highlight an ongoing trend in which attackers target high-value, communication-centered systems that manage sensitive customer data.
Contact center infrastructure often integrates deeply with CRM platforms, authentication servers, and enterprise networks, making it an attractive target for cybercriminals.
The discovery of these flaws also underscores the importance of secure software design and continuous patch management in enterprise environments.
Systems that rely on remote method invocation, authentication handoffs, or multi-layered workflows must undergo frequent security reviews to mitigate emerging risks.
Recommended Mitigations
To reduce the risk posed by these critical Cisco Unified CCX vulnerabilities, organizations should take immediate action to strengthen their security posture, including:
- Apply security updates promptly by upgrading to Unified CCX 12.5 SU3 ES07 or 15.0 ES01 to patch both vulnerabilities.
- Restrict and monitor network access by limiting RMI and CCX Editor interfaces to trusted networks and using intrusion detection to flag unusual activity.
- Strengthen authentication and access controls through multi-factor authentication, least-privilege permissions, and the removal of default credentials.
- Maintain continuous security oversight with regular audits, vulnerability scans, detailed logging, and real-time alerting for suspicious events.
By implementing these measures, organizations can reduce their exposure to remote code execution and authentication bypass attacks and build cyber resilience.
As attackers increasingly target interconnected enterprise tools, maintaining an effective patch management program and enforcing layered security controls remain critical parts of cyber resilience.





