Hello friends! If you are handling a Cisco Unified Contact Center Express (CCX) installation, pour yourself a cup of coffee and read on. Recently, Cisco disclosed two severe remote code execution vulnerabilities — CVE-2025-20354 and CVE-2025-20358 — that are very serious.
Here’s the situation: both of these vulnerabilities allow a remote attacker to take control of your Cisco Unified Contact Center Express server without authentication or a password. Yes, you read that right: no login authentication. This is possible because the vulnerabilities are in two different components of CCX:
• CVE-20354 affects the Java RMI service, which listens for requests from the internet and provides no validation of the sender before placing this data into memory, allowing the remote attacker to upload a crafted file and execute commands on the server. Furthermore, since this service runs as root, this equals complete control of the machines.
• CVE-2025-20358 affects the CCX Editor, which is used to build workflow scripts. The CCX Editor allows the user to authenticate using the server, where an authenticated attacker can easily substitute or modify workflow scripts.
Both vulnerabilities enable remote and silent exploitation, meaning an attacker need not have a user click anything for the exploit to occur. In the case of call center operations that rely on CCX, this could lead to a very chaotic situation.
• Obtain root access to your CCX server.
• Execute any command they choose.
• Propagate laterally into other systems on your network.
• Possibly take control of your call center operations.
In other words, it is the kind of vulnerability that IT teams dread, as it could result in costly damages.
• Unified CCX 12.5 SU3 and earlier - upgrade to 12.5 SU3 ES07.
• Unified CCX 15.0 - upgrade to 15.0 ES01.
If you are unable to patch right away, there is no ideal workaround. You could diminish exposure via segmentation of the network and strict firewall rules, but patching is the only real way to secure the system.
Here’s the situation: both of these vulnerabilities allow a remote attacker to take control of your Cisco Unified Contact Center Express server without authentication or a password. Yes, you read that right: no login authentication. This is possible because the vulnerabilities are in two different components of CCX:
• CVE-20354 affects the Java RMI service, which listens for requests from the internet and provides no validation of the sender before placing this data into memory, allowing the remote attacker to upload a crafted file and execute commands on the server. Furthermore, since this service runs as root, this equals complete control of the machines.
• CVE-2025-20358 affects the CCX Editor, which is used to build workflow scripts. The CCX Editor allows the user to authenticate using the server, where an authenticated attacker can easily substitute or modify workflow scripts.
Both vulnerabilities enable remote and silent exploitation, meaning an attacker need not have a user click anything for the exploit to occur. In the case of call center operations that rely on CCX, this could lead to a very chaotic situation.
Why is this Important
In a worst-case scenario, attackers may:• Obtain root access to your CCX server.
• Execute any command they choose.
• Propagate laterally into other systems on your network.
• Possibly take control of your call center operations.
In other words, it is the kind of vulnerability that IT teams dread, as it could result in costly damages.
What To Do About It
The optimistic part? Cisco has provided updates to resolve both problems. Here are the options:• Unified CCX 12.5 SU3 and earlier - upgrade to 12.5 SU3 ES07.
• Unified CCX 15.0 - upgrade to 15.0 ES01.
If you are unable to patch right away, there is no ideal workaround. You could diminish exposure via segmentation of the network and strict firewall rules, but patching is the only real way to secure the system.
