EXECUTIVE SUMMARY:
Two critical vulnerabilities were found in Unified CCX that let unauthenticated remote attackers take over systems or gain admin control of the scripting tool. A remote code execution issue with a CVSS of 9.8 that can let an attacker upload file and run commands as root. The other (CVE-2025-20358) scores 9.4 and lets an attacker bypass editor authentication to get administrative script permissions. Both issues arise from weak authentication in CCX components and can be reached over the network.
- CVE-2025-20354: This issue is in the Java Remote Method Invocation process of Unified CCX. An attacker can send a specially crafted RMI request to an exposed service to upload arbitrary files and execute commands. Successful exploitation can run commands with root privileges on the host, giving full control of the operating system, access to data, and the ability to install persistent backdoors. No workaround is available; updated product builds include the fix.
- CVE-2025-20358: This issue affects the CCX Editor client-server flow used to build and deploy contact center scripts. An attacker can manipulate the authentication flow (for example, by redirecting it to a malicious server) so the editor accepts a fake response and grants administrative permissions. With those permissions the attacker can create and run arbitrary scripts on the CCX server, leading to elevated control over call center logic and data. No workaround is available; updated product builds include the fix.
RECOMMENDATION:
We strongly recommend you upgrade Unified CCX to version 12.5 SU3 ES07 or 15.0 ES01.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/critical-cisco-ccx-rce-flaws-cvss-9-8-allow-unauthenticated-root-access-via-java-rmi-and-ccx-editor/
