Critical Cisco CCX RCE Flaws (CVSS 9.8) Allow Unauthenticated Root Access via Java RMI and CCX Editor

Cisco has released urgent security updates to address two critical vulnerabilities in its Unified Contact Center Express (Unified CCX) software, which could allow unauthenticated remote attackers to execute arbitrary code or gain administrative control over affected systems.

According to Cisco’s advisory, “Multiple vulnerabilities in the Java Remote Method Invocation (RMI) process of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to upload arbitrary files, bypass authentication, execute arbitrary commands, and elevate privileges to root.”

The flaws — tracked as CVE-2025-20354 and CVE-2025-20358 — affect multiple releases of Unified CCX, a key component used in enterprise customer service and call center infrastructures.

The first vulnerability, CVE-2025-20354, carries a CVSS score of 9.8, making it a critical-severity remote code execution flaw.

Cisco explains that the issue arises from improper authentication mechanisms tied to certain Unified CCX features within the Java Remote Method Invocation (RMI) process. This weakness could allow an attacker to upload arbitrary files and execute commands as root on the affected system.

“A vulnerability in the Java Remote Method Invocation (RMI) process of Cisco Unified CCX could allow an unauthenticated, remote attacker to upload arbitrary files and execute arbitrary commands with root permissions on an affected system,” the advisory states.

An attacker could exploit the flaw by sending a crafted RMI request to an exposed Unified CCX service. Successful exploitation would give full control over the underlying operating system — including the ability to manipulate configurations, steal data, or install backdoors for persistent access.

Cisco emphasized that “a successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system and elevate privileges to root.”

There are no workarounds available, and Cisco strongly recommends immediate patching. Fixed software has been released in Unified CCX 12.5 SU3 ES07 and 15.0 ES01.

The second flaw, CVE-2025-20358, affects the CCX Editor application — a tool used to create and deploy contact center scripts. Rated 9.4 (Critical), the vulnerability allows an unauthenticated attacker to bypass authentication and gain administrative permissions within the scripting environment.

Cisco describes the issue as stemming from improper authentication mechanisms between the CCX Editor client and the Unified CCX server.

“A vulnerability in the Contact Center Express (CCX) Editor application of Cisco Unified CCX could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative permissions pertaining to script creation and execution,” Cisco explained.

Attackers can exploit this flaw by redirecting the authentication flow to a malicious server, tricking the CCX Editor into accepting a fake authentication response. Once successful, they could create and execute arbitrary scripts with elevated privileges on the affected CCX server.

Like the RMI flaw, there are no known workarounds, and Cisco has addressed the issue in Unified CCX 12.5 SU3 ES07 and 15.0 ES01.

While both vulnerabilities are considered critical, Cisco’s Product Security Incident Response Team (PSIRT) stated that it is not aware of any public announcements or active exploitation of these issues at the time of publication.

Related Posts:

• Progress Patches Remote Command Execution Flaw in OpenEdge AdminServer (CVE-2025-7388)
• CVE-2023-37895: A Critical Remote Code Execution in Apache Jackrabbit
• Privilege Escalation Flaws in Cisco Unified Intelligence Center Threaten User Data Integrity
• Google Launches Unified Security Powered by Gemini AI, Enhances Enterprise Protection
• CVE-2022-37021/CVE-2022-37022/CVE-2022-37023: Apache Geode RCE flaws