Cisco CCX Vulnerabilities Open Door to Remote Attacks | eSecurity Planet

Cisco CCX Vulnerabilities Open Door to Remote Attacks

Critical flaws in Cisco’s Unified CCX platform allow remote attackers to execute malicious code and gain full control of contact center systems.

Written By
Ken Underhill
Ken Underhill
Nov 5, 2025
3 minute read
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Cisco has disclosed two critical vulnerabilities affecting its Unified Contact Center Express (CCX) platform that could allow unauthenticated remote attackers to execute malicious code and gain elevated privileges. 

The flaws present risks to organizations relying on CCX for customer support and call center operations.

Critical Remote Code Execution and Authentication Bypass

CVE-2025-20354

The first vulnerability, CVE-2025-20354, carries a CVSS severity score of 9.8, and is a critical remote code execution (RCE) flaw. 

It resides in the Java Remote Method Invocation (RMI) process used by Unified CCX. 

Improper authentication validation allows attackers to upload arbitrary files through the RMI service without any authentication.

Once exploited, this flaw enables attackers to execute system commands with root privileges, giving them complete control over the affected server. 

This level of access could allow adversaries to install backdoors, steal sensitive customer data, or deploy ransomware across contact center networks.

Cisco confirmed that the root cause lies in flawed authentication mechanisms that fail to properly verify user identities during remote interactions. 

By exploiting this gap, attackers can bypass security checks and directly interface with privileged processes.

Advertisement

CVE-2025-20358

The second flaw, CVE-2025-20358, carries a CVSS score of 9.4 and targets the Cisco Unified CCX Editor application. 

This vulnerability allows attackers to perform an authentication bypass by redirecting the login flow to a malicious server. 

When successful, the CCX Editor falsely recognizes the attacker’s server as legitimate, granting administrative access.

Once inside, attackers can create, modify, or execute arbitrary scripts as internal non-root users. 

This exploit effectively allows malicious actors to manipulate call-handling workflows, inject custom scripts, or disrupt contact center operations.

Together, the two vulnerabilities form a powerful attack chain — one that begins with unauthenticated access and ends with persistent administrative control. 

This sequence enables attackers to escalate privileges, execute code remotely, and maintain long-term presence within the target environment.

Affected Versions

According to Cisco’s advisory, both vulnerabilities affect all Unified CCX configurations, regardless of deployment settings or scale. 

That includes on-premises and hybrid installations. However, other Cisco products, such as Unified Contact Center Enterprise (CCE) and Packaged Contact Center Enterprise (PCCE), remain unaffected.

Organizations using Unified CCX version 12.5 SU3 and earlier must upgrade immediately to version 12.5 SU3 ES07. 

Those running version 15.0 should install version 15.0 ES01. Cisco has released patches addressing both vulnerabilities and confirmed that no workarounds are available.

Failure to apply these updates leaves systems open to complete compromise, as attackers could exploit these flaws to seize control of customer service operations, intercept customer communications, or deploy additional payloads throughout an enterprise network.

Advertisement

Broader Implications

The CCX vulnerabilities highlight an ongoing trend in which attackers target high-value, communication-centered systems that manage sensitive customer data. 

Contact center infrastructure often integrates deeply with CRM platforms, authentication servers, and enterprise networks, making it an attractive target for cybercriminals.

The discovery of these flaws also underscores the importance of secure software design and continuous patch management in enterprise environments. 

Systems that rely on remote method invocation, authentication handoffs, or multi-layered workflows must undergo frequent security reviews to mitigate emerging risks.

To reduce the risk posed by these critical Cisco Unified CCX vulnerabilities, organizations should take immediate action to strengthen their security posture, including:

  • Apply security updates promptly by upgrading to Unified CCX 12.5 SU3 ES07 or 15.0 ES01 to patch both vulnerabilities.
  • Restrict and monitor network access by limiting RMI and CCX Editor interfaces to trusted networks and using intrusion detection to flag unusual activity.
  • Strengthen authentication and access controls through multi-factor authentication, least-privilege permissions, and the removal of default credentials.
  • Maintain continuous security oversight with regular audits, vulnerability scans, detailed logging, and real-time alerting for suspicious events.

By implementing these measures, organizations can reduce their exposure to remote code execution and authentication bypass attacks and build cyber resilience.

As attackers increasingly target interconnected enterprise tools, maintaining an effective patch management program and enforcing layered security controls remain critical parts of cyber resilience.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and technology leader with more than 25 years of experience in IT, cybersecurity, and risk management. His career spans network administration, incident response, penetration testing, and entrepreneurship, giving him firsthand experience helping organizations reduce risk and ensure compliance. Ken is also a former nurse and combat medic and he uses this background to break down complex cybersecurity topics into digestible content for a broad, global audience. A multi-exit cybersecurity founder, Ken has spent decades helping organizations strengthen their security posture, manage risk, and navigate complex technology challenges. His expertise includes overall cybersecurity strategy, cloud security, incident response, risk management, security awareness, and emerging threats affecting businesses. Ken is also an advisor to multiple startups on AI security and risk. In addition to his hands-on industry experience, Ken is a cybersecurity newsletter writer for TechnologyAdvice, where he covers cybersecurity news/trends and actionable best practices for business and IT professionals. Ken is also an educator with over 2 million people going through his courses over the years. He has won the Global Cybersecurity 40 under 40 (2x winner), the Cyber Champion award from Women's Society of Cyberjutsu, and the 2019 SC Media award for Outstanding Educator. Ken is also a volunteer with organizations like Minorities in Cybersecurity, Black Girls Hack, and the Whole Cyber Human Initiative, which helps veterans transition into security careers. Ken holds a Master of Science in Cybersecurity and Information Assurance from Western Governors University and a Bachelor of Science in Information Systems, with a major in Cybersecurity Management, from Strayer University. His certifications include the Certificate of Cloud Security Knowledge (CCSK), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI) and he is a former adjunct professor of Digital Forensics. Ken also had a streaming cybersecurity television show from 2020-2022 that reached over 200K monthly viewers around the world. His work and expertise have been featured in Forbes, Reader's Digest, Medium, TechRepublic, Fox, NBC, CBS, Dark Reading, MSN Money, and other leading publications and media outlets, making him a trusted voice on cybersecurity, election security, and privacy.

eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.