Cisco patched a critical flaw in its Unified Contact Center Express (UCCX) software that allowed attackers to execute commands with root privileges.
Cisco released security updates to address a critical vulnerability, tracked as CVE-2025-20354 (CVSS score 9.8), in the Unified Contact Center Express (UCCX) software. An attacker can exploit the flaw to execute commands with root privileges.
Cisco Unified Contact Center Express (UCCX) is a customer interaction management platform designed for small and medium-sized contact centers.
“A vulnerability in the Java Remote Method Invocation (RMI) process of Cisco Unified CCX could allow an unauthenticated, remote attacker to upload arbitrary files and execute arbitrary commands with root permissions on an affected system.” reads the advisory.
“This vulnerability is due to improper authentication mechanisms that are associated to specific Cisco Unified CCX features. An attacker could exploit this vulnerability by uploading a crafted file to an affected system through the Java RMI process. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system and elevate privileges to root.”
The flaw in Cisco Unified Contact Center Express’s Java RMI handling lets an unauthenticated remote actor upload files via the RMI interface and run commands as root. The root cause lies in improper or missing authentication tied to certain CCX features, so the RMI endpoint accepts and processes crafted input it should reject.
The networking giant states there are no workarounds that address this vulnerability, below are the fixed releases.
| Cisco Unified CCX Release | First Fixed Release |
|---|---|
| 12.5 SU3 and earlier | 12.5 SU3 ES07 |
| 15.0 | 15.0 ES01 |
The Cisco Product Security Incident Response Team (PSIRT) is not aware of attacks in the wild exploiting this vulnerability.
This week, Cisco warned of a new attack variant targeting vulnerable Secure Firewall ASA and FTD devices by exploiting the vulnerabilities CVE-2025-20333 and CVE-2025-20362.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Cisco)