WARNING: Critical Cisco Vulnerabilities Enables Attackers To Execute Malicious Code

Cisco Systems has disclosed two highly severe vulnerabilities in its contact-centre solution, Cisco Unified Contact Center Express (Unified CCX), that potentially allow unauthenticated remote attackers to take full control of affected systems. The flaws raise particular concern due to the critical role of contact-centre systems in business operations and their often sensitive data handling.

The Vulnerabilities

The two primary issues identified are:

CVE-2025-20354 – An unauthenticated remote code execution (RCE) vulnerability with a CVSS v3.1 base score of 9.8, the highest severity. The flaw resides in the Java Remote Method Invocation (RMI) process of Cisco Unified CCX. It could allow an unauthenticated, remote attacker to upload arbitrary files and execute arbitrary commands with root permissions on an affected system. This vulnerability is due to improper authentication mechanisms that are associated to specific Cisco Unified CCX features. An attacker could exploit this vulnerability by uploading a crafted file to an affected system through the Java RMI process. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system and elevate privileges to root.

CVE-2025-20358 – A similarly critical authentication-bypass vulnerability rated at CVSS 9.4. This issue affects the CCX Editor application and enables attackers to redirect the authentication flow to a malicious server, tricking the editor into believing authentication has succeeded, thereby granting administrative script-creation and execution rights as an internal non-root user on the underlying OS.

“Exploitation of one of the vulnerabilities is not required to exploit the other vulnerability,” Cisco says.

The fact that both vulnerabilities require no valid credentials and can be exploited remotely—with little to no user interaction—makes them exceptionally dangerous for organisations using this platform.

Why This Matters

Contact-centre platforms such as Unified CCX are central to an enterprise’s customer-interaction ecosystem. They interact with large volumes of potentially sensitive customer data, handle voice, email or chat communications, integrate with CRM systems and often sit behind the organisational firewall but sometimes reach the wider network. If compromised, they can become entry points to broader internal systems.

The root-level access enabled by CVE-20354 allows an attacker to pivot, deploy ransomware, exfiltrate data, or maintain persistence undetected, by simply uploading a crafted file … the attacker can execute arbitrary commands on the underlying operating system and elevate privileges to root.

Meanwhile, CVE-20358 enables an attacker to “bypass authentication” via redirection of the authentication flow—a technique that may appear subtle but opens the door to full administrative control of scripting within the environment.

Together, the two vulnerabilities form a potent attack chain: first gaining access via the RMI interface, then exploiting script execution privileges via the editor bypass to deepen control and persistence.

Impact & Risk To Organisations

For organisations running Unified CCX, several risk factors raise the urgency of mitigation:

High exposure: If the RMI service or CCX Editor interface is reachable or insufficiently segmented, the attack surface is broad.

Data sensitivity: Contact-centre systems handle sensitive consumer or enterprise-client data, exposing organisations to regulatory, reputational and financial risk in the event of compromise.

Operational disruption: An attacker gaining root access can not only exfiltrate data but disrupt service, modify call flows, inject malicious scripts or pivot laterally into other enterprise systems.

Speed of exploitation: Given the low complexity, remote network vector and no prerequisites required, exploitation could happen swiftly—especially once proof-of-concepts appear.

Although Cisco currently states that no exploitation in the wild has been confirmed at this time. That window of “no known active campaigns” offers only a temporary reprieve and must not lull organisations into complacency.

What Organisations Should Do Now

Given the severity, immediate action is required. Key steps include:

1. Apply vendor updates Cisco has released fixed versions: for Unified CCX version 12.5 SU3 and earlier, update to 12.5 SU3 ES07; for version 15.0, update to 15.0 ES01.
2. Isolate and segment systems Restrict access to CCX infrastructure (especially RMI services and editor interfaces) from untrusted networks and ensure strong network segmentation.
3. Audit exposure Identify where Unified CCX is deployed, whether its management interfaces face external networks, and if any firewall or ACL gaps exist.
4. Monitor for exploitation indicators Look for abnormal RMI file-uploads, editor script-creation activities, unexpected user flows, or unusual administrative activity.
5. Incident-response readiness Given the possibility of root-level compromise, ensure backup, restore and forensic-analysis capabilities are in place; plan for containment and remediation of full system takeover.
6. Proof-of-concept and threat-intelligence monitoring Closely track whether proof-of-concept exploitation code appears publicly, or if active campaigns targeting CCX emerge.

Cisco’s Ongoing Scrutiny In Enterprise Security

These flaws are not isolated. Cisco’s recent patch advisories reveal recurring critical vulnerabilities across its enterprise-infrastructure portfolio.The latest UCCX issues add to a string of recent disclosures, underlining systemic challenges in Cisco’s product suite. On Wednesday, Cisco also updated customers on a high-severity vulnerability (CVE-2025-20343) in its Identity Services Engine (ISE) that could allow remote attackers to trigger denial-of-service conditions on unpatched devices.

What’s more, four additional vulnerabilities in Cisco Contact Center systems (CVE-2025-20374 to CVE-2025-20377) were highlighted as allowing privilege escalation, data exposure, and file manipulation—reinforcing the narrative that attackers are steadily targeting collaboration and identity systems across the enterprise environment.

Cisco has been in the spotlight before. Earlier in 2025, security researchers found that ISE, a linchpin in identity-based security deployments, harbored a flaw allowing unauthorized root-level command execution. Similarly, in September, the Cybersecurity and Infrastructure Security Agency (CISA) issued emergency directives to federal agencies regarding two Cisco firewall vulnerabilities being actively exploited in zero-day attacks—a rare sign that adversaries were racing ahead of defenders.

Growing Complexities In Enterprise Cybersecurity

The continued discovery of serious vulnerabilities in Cisco’s security and collaboration products is emblematic of a broader set of challenges facing cybersecurity and IT teams. Unified communication systems like UCCX are increasingly complex, interconnected, and difficult to secure. Their use of legacy components like Java RMI—originally designed for trusted, closed networks—poses ongoing risk in a world where remote access is ubiquitous and threats never idle.

Moreover, the pressure on IT administrators to balance system uptime with timely security patching is only rising. While Cisco has been proactive in addressing these latest issues, the responsibility to update and secure deployments lies with customers, who must weigh the cost of disruption against the potential for catastrophic exploit.

As threat actors become ever more efficient in weaponizing vulnerabilities at scale, the security of widely-used platforms like UCCX becomes not just a corporate concern, but a matter of public interest.

Conclusion

The disclosure of CVE-2025-20354 and CVE-2025-20358 underscores how critical infrastructure components—in this case, contact-centre systems—are increasingly under threat. What sets these vulnerabilities apart is the combination of unauthenticated access, remote exploitability, root-level or administrative consequence and wide enterprise deployment. In short: the perfect storm for malicious actors.

For organisations running enterprise contact-centre solutions, the message is clear: the threat is real, the window for action is narrow, and the cost of inaction may range from regulatory fines and reputational damage to full business-operations disruption.

Read the Cisco advisory HERE