On November 5, 2025, Cisco released fixes for two critical vulnerabilities impacting Cisco Unified Contact Center Express (CCX). The vulnerabilities are independent (exploiting one is not required to exploit the other).
- CVE-2025-20354 (Remote Code Execution): An unauthenticated, remote threat actor can exploit a flaw in the Java Remote Method Invocation (RMI) process of Cisco Unified Contact Center Express (CCX) to upload arbitrary files, bypass authentication, and execute commands with root privileges. The flaw is caused by improper authentication and can be exploited by sending specially crafted files via the RMI service.
- CVE-2025-20358 (Authentication Bypass): An unauthenticated, remote threat actor can exploit the CCX Editor to bypass authentication by redirecting its authentication flow to a malicious server. Successful exploitation grants admin permissions in the editor and allows execution of arbitrary scripts on the underlying CCX server as a non‑root user.
Arctic Wolf has not observed exploitation of these vulnerabilities in the wild, nor identified any publicly available proof‑of‑concept exploit. Cisco products have been popular targets in the past, as evidenced by CISA’s Known Exploited Vulnerabilities Catalog, and threat actors may seek to exploit these vulnerabilities in the future.
Recommendation for CVE-2025-20354 & CVE-2025-20358
Upgrade to Latest Fixed Release
Arctic Wolf strongly recommends that customers upgrade to the latest fixed release.
| Product | Affected Release | Fixed Release |
| Cisco Unified Contact Center Express (CCX) |
|
|
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
References
