Cisco Unified CCX Remote Code Execution Vulnerabilities (CVE-2025-20354, CVE-2025-20358)
None
<article class="post-5916 labs type-labs status-publish has-post-thumbnail hentry" id="post-5916" morss_own_score="9.626436781609195" morss_score="12.051580735543936"> <p><img decoding="async" src="https://www.sentrium.co.uk/cdn-cgi/image/width=2560,height=1379,fit=crop,quality=80,format=auto,onerror=redirect,metadata=none/wp-content/uploads/2025/11/Cisco-Unified-CCX-Remote-Code-Execution-Vulnerabilities-1-scaled.jpg"> </p> <p><time>November 7, 2025</time></p><div class="code-block code-block-13" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-13-1" data-info="WyIxMy0xIiwxXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="U2hvcnQ=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://www.techstrongevents.com/cruisecon-virtual-west-2025/home?ref=in-article-ad-2&utm_source=sb&utm_medium=referral&utm_campaign=in-article-ad-2" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2025/10/Banner-770x330-social-1.png" alt="Cruise Con 2025"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div> <h1>Cisco Unified CCX Remote Code Execution Vulnerabilities (CVE-2025-20354, CVE-2025-20358)</h1> <p><img decoding="async" src="https://secure.gravatar.com/avatar/d52c35f286254a2d0c6525dd24bb224de0f6eaffbb10365bbae49e2e9e5a6f59?s=96&d=mm&r=g"> </p> <p>Tom Keech</p> <div class="entry-content prose max-w-none md:prose-lg lg:prose-xl prose-pre:rounded-xl prose-pre:bg-mineshaft-80" morss_own_score="5.699421965317919" morss_score="46.93701061780019"> <p>On the 6th of February 2025, two critical vulnerabilities, CVE-2025-20354 and CVE-2025-20358, were disclosed by Cisco affecting their Unified Contact Center Express (Unified CCX). Researcher Jahmel Harris is credited with reporting these issues to Cisco. These vulnerabilities could allow a remote, unauthenticated attacker to upload arbitrary files, bypass authentication and execute commands in the context of the root user on the underlying operating system on affected Unified CCX servers.</p> <h2>Technical details</h2> <p>The problem comes from weak authentication in two different CCX components.</p> <p>CVE-2025-20354 targets the Java RMI service. CCX exposes this service to accept remote data, but it does not properly check who is sending it. That means an attacker can upload a specially crafted file and run commands on the underlying operating system. Because the CCX service runs as root, a successful attacker can take full control of the machine.</p> <p>CVE-2025-20358 targets the CCX Editor, a tool used to build and push workflow scripts. The Editor trusts the server during its login exchange, and this trust can be abused. An attacker can redirect that login step to a fake server and trick the Editor into thinking it has authenticated. Once exploited, the Editor will accept and run scripts supplied by the attacker, usually under an internal non root service account.</p> <p>Both flaws can be triggered remotely with no credentials and no user interaction. In short, an attacker can remotely seize the CCX application and, because of how CCX ties into call handling and identity systems, cause widespread disruption.</p> <h2>Impact summary</h2> <p>A remote, unauthenticated attacker can gain administrative control of Cisco Unified CCX by abusing the RMI service or CCX Editor communication channel. Successful exploitation could provide root access, permit arbitrary command execution, and facilitate lateral movement into adjacent network systems. For organisations where Unified CCX is deployed within call handling infrastructure, compromise of this system could result in full operational control of the call centre platform.</p> <h2>Mitigating the vulnerability</h2> <p>Cisco has released software updates to fully address these issues. Organisations running Unified CCX should apply the relevant updates immediately. Customers can refer to the <a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cc-unauth-rce-QeN8h7mQ">Cisco Security Advisory</a> for detailed information about the patches released to address these vulnerabilities.</p> <h3>Fixed releases</h3> <p>Affected release – Unified CCX 12.5 SU3 and earlier</p> <p>First fixed release – 12.5 SU3 ES07</p> <p>Affected release – Unified CCX 15.0</p> <p>First fixed release – 15.0 ES01</p> <p>If you are unable to apply the update immediately, no effective workarounds are available. Temporary measures such as network segmentation and strict firewall rules may reduce exposure, but these are not substitutes for patching.</p> <h2>How can Sentrium help?</h2> <p>Sentrium offer vulnerability assessment and network penetration testing services that can support you in identifying vulnerable Windows Server systems across your environments. Start your assessment today by completing our <a href="https://www.sentrium.co.uk/penetration-testing-quote">pentest scoping form</a> or get in touch with our team to find out more about our <a href="https://www.sentrium.co.uk/penetration-testing">penetration testing services</a>.</p> </div> </article><p>On the 6th of February 2025, two critical vulnerabilities, CVE-2025-20354 and CVE-2025-20358, were disclosed by Cisco affecting their Unified Contact Center Express (Unified CCX). Researcher Jahmel Harris is credited with reporting these issues to Cisco. These vulnerabilities could allow a remote, unauthenticated attacker to upload arbitrary files, bypass authentication and execute commands in the context of the root user on the underlying operating system on affected Unified CCX servers.</p><h2>Technical details</h2><p>The problem comes from weak authentication in two different CCX components.</p><p>CVE-2025-20354 targets the Java RMI service. CCX exposes this service to accept remote data, but it does not properly check who is sending it. That means an attacker can upload a specially crafted file and run commands on the underlying operating system. Because the CCX service runs as root, a successful attacker can take full control of the machine.</p><p>CVE-2025-20358 targets the CCX Editor, a tool used to build and push workflow scripts. The Editor trusts the server during its login exchange, and this trust can be abused. An attacker can redirect that login step to a fake server and trick the Editor into thinking it has authenticated. Once exploited, the Editor will accept and run scripts supplied by the attacker, usually under an internal non root service account.</p><p>Both flaws can be triggered remotely with no credentials and no user interaction. In short, an attacker can remotely seize the CCX application and, because of how CCX ties into call handling and identity systems, cause widespread disruption.</p><h2>Impact summary</h2><p>A remote, unauthenticated attacker can gain administrative control of Cisco Unified CCX by abusing the RMI service or CCX Editor communication channel. Successful exploitation could provide root access, permit arbitrary command execution, and facilitate lateral movement into adjacent network systems. For organisations where Unified CCX is deployed within call handling infrastructure, compromise of this system could result in full operational control of the call centre platform.</p><h2>Mitigating the vulnerability</h2><p>Cisco has released software updates to fully address these issues. Organisations running Unified CCX should apply the relevant updates immediately. Customers can refer to the <a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cc-unauth-rce-QeN8h7mQ">Cisco Security Advisory</a> for detailed information about the patches released to address these vulnerabilities.</p><h3>Fixed releases</h3><p>Affected release – Unified CCX 12.5 SU3 and earlier</p><p>First fixed release – 12.5 SU3 ES07</p><p>Affected release – Unified CCX 15.0</p><p>First fixed release – 15.0 ES01</p><p>If you are unable to apply the update immediately, no effective workarounds are available. Temporary measures such as network segmentation and strict firewall rules may reduce exposure, but these are not substitutes for patching.</p><h2>How can Sentrium help?</h2><p>Sentrium offer vulnerability assessment and network penetration testing services that can support you in identifying vulnerable Windows Server systems across your environments. Start your assessment today by completing our <a href="https://www.sentrium.co.uk/penetration-testing-quote">pentest scoping form</a> or get in touch with our team to find out more about our <a href="https://www.sentrium.co.uk/penetration-testing">penetration testing services</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/cisco-unified-ccx-remote-code-execution-vulnerabilities-cve-2025-20354-cve-2025-20358/" data-a2a-title="Cisco Unified CCX Remote Code Execution Vulnerabilities (CVE-2025-20354, CVE-2025-20358)"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fcisco-unified-ccx-remote-code-execution-vulnerabilities-cve-2025-20354-cve-2025-20358%2F&linkname=Cisco%20Unified%20CCX%20Remote%20Code%20Execution%20Vulnerabilities%20%28CVE-2025-20354%2C%20CVE-2025-20358%29" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fcisco-unified-ccx-remote-code-execution-vulnerabilities-cve-2025-20354-cve-2025-20358%2F&linkname=Cisco%20Unified%20CCX%20Remote%20Code%20Execution%20Vulnerabilities%20%28CVE-2025-20354%2C%20CVE-2025-20358%29" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fcisco-unified-ccx-remote-code-execution-vulnerabilities-cve-2025-20354-cve-2025-20358%2F&linkname=Cisco%20Unified%20CCX%20Remote%20Code%20Execution%20Vulnerabilities%20%28CVE-2025-20354%2C%20CVE-2025-20358%29" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fcisco-unified-ccx-remote-code-execution-vulnerabilities-cve-2025-20354-cve-2025-20358%2F&linkname=Cisco%20Unified%20CCX%20Remote%20Code%20Execution%20Vulnerabilities%20%28CVE-2025-20354%2C%20CVE-2025-20358%29" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fcisco-unified-ccx-remote-code-execution-vulnerabilities-cve-2025-20354-cve-2025-20358%2F&linkname=Cisco%20Unified%20CCX%20Remote%20Code%20Execution%20Vulnerabilities%20%28CVE-2025-20354%2C%20CVE-2025-20358%29" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.sentrium.co.uk/labs">Labs Archive - Sentrium Security</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Tom Keech">Tom Keech</a>. Read the original post at: <a href="https://www.sentrium.co.uk/labs/cisco-unified-ccx-remote-code-execution-vulnerabilities-cve-2025-20354-cve-2025-20358">https://www.sentrium.co.uk/labs/cisco-unified-ccx-remote-code-execution-vulnerabilities-cve-2025-20354-cve-2025-20358</a> </p>