Cisco has shipped out-of-band security updates for Unified Contact Center Express (UCCX), addressing multiple flaws, including two critical vulnerabilities: CVE-2025-20354 (CVSS 9.8) and CVE-2025-20358 (CVSS 9.4). According to Cisco PSIRT, there are no public exploits or confirmed attacks at publication time, but the vendor classifies the risk as high and urges immediate patching.
CVE-2025-20354: Java RMI remote code execution in Cisco UCCX
CVE-2025-20354, credited to researcher Jahmel Harris, stems from improper authentication enforcement in the Java Remote Method Invocation (RMI) component used by Unified CCX. A remote, unauthenticated attacker could send a crafted payload to achieve arbitrary command execution on the host with root privileges. Java RMI is a mechanism for invoking methods across networked JVMs; when exposed without robust authentication, it can become a conduit for deserialization and command-injection style attacks, making this a high-impact RCE.
Business impact and exposure in contact-center environments
UCCX is positioned as an “all-in-one contact center” and commonly supports up to 400 agents per site, making it a valuable target. Successful exploitation could enable takeover of call-routing scripts, access to sensitive customer data, and disruption of critical voice workflows that underpin SLAs. Historically, weakly protected RMI endpoints have served as initial footholds for privilege escalation and lateral movement. Network segmentation, strict access controls on management interfaces, and rapid patching materially reduce this risk.
CVE-2025-20358: CCX Editor authentication bypass enables admin-level script execution
The second critical flaw, CVE-2025-20358, affects Contact Center Express (CCX) Editor. An unauthenticated adversary can manipulate the verification flow, tricking the editor into accepting a login and redirecting authentication to an attacker-controlled resource. This grants the ability to create and run arbitrary scripts with administrative privileges, allowing modification of call-handling logic and facilitating persistence within the contact-center infrastructure.
Additional Cisco fixes: Cisco ISE DoS and further Contact Center CVEs
Cisco also addressed CVE-2025-20343 in Identity Services Engine (ISE), where exploitation can cause denial of service and potential device reboots. In parallel, four additional Contact Center issues—CVE-2025-20374, CVE-2025-20375, CVE-2025-20376, and CVE-2025-20377—were fixed. While these typically require elevated privileges, they can lead to further escalation to root, command execution, sensitive data access, and file upload, amplifying the blast radius of an initial compromise.
Patch guidance, compensating controls, and operational recommendations
Cisco recommends upgrading UCCX immediately: for the 12.5 SU3 train, move to 12.5 SU3 ES07; for 15.0, upgrade to 15.0 ES01. Organizations should also validate that Java RMI and all administrative interfaces are not exposed to untrusted networks. Where patching cannot occur at once, apply compensating controls: restrict access using network ACLs and segmentation, enforce the principle of least privilege, enable detailed logging, and monitor for authentication anomalies and unexpected script changes within CCX Editor.
From an operational standpoint, treat this as a time-sensitive maintenance event. Snapshot or back up UCCX/CCX configurations, stage updates in test environments, and implement a rollback plan. Inventory external exposure (e.g., management ports, RMI endpoints), validate TLS configurations, and tune SIEM alerts for suspicious RMI activity and unexpected process spawns. While Cisco PSIRT reports no active exploitation yet, critical RCE and authentication-bypass issues are commonly targeted soon after proof-of-concept code emerges, particularly in internet-exposed services.
UCCX underpins customer engagement, revenue operations, and SLA adherence. Reducing the window of exposure through rapid patching, hardening management planes, and continuous monitoring is essential. Organizations should formalize a rapid review process for Cisco PSIRT advisories, automate patch deployment where feasible, and train operations teams to detect and contain incidents affecting voice and contact-center platforms. Acting now decreases the likelihood of disruption, data exposure, and downstream recovery costs.
