Introduction
Remote attackers can gain root access to Cisco Unified Contact Center Express (CCX) systems with no credentials or user interaction required. This vulnerability enables arbitrary file upload and command execution through the Java RMI process, directly impacting the security of enterprise contact center infrastructure. Cisco Unified CCX is a widely deployed platform for managing customer interactions in organizations worldwide, making this issue highly relevant for any enterprise using Cisco's contact center solutions.
Technical Information
CVE-2025-20354 is caused by improper authentication in the Java Remote Method Invocation (RMI) process within Cisco Unified CCX. The RMI interface, typically exposed on TCP port 1099, is used for inter-process communication in the CCX architecture. Specific RMI endpoints fail to enforce authentication, allowing unauthenticated remote attackers to send crafted RMI requests that invoke file upload functionality.
The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). Attackers can upload arbitrary files to the affected system, which are then executed with root privileges. This enables full remote code execution on the underlying operating system. The attack requires only network access to the vulnerable RMI interface; no credentials or user interaction are needed. The flaw affects the core communication mechanism of CCX, making exploitation straightforward for anyone with network visibility to the RMI service.
No public code snippets or proof of concept are available as of the advisory date. The vulnerability does not depend on any specific configuration beyond having an exposed and unpatched RMI interface on a vulnerable CCX version.
Affected Systems and Versions
CVE-2025-20354 affects Cisco Unified Contact Center Express (Unified CCX) across multiple major versions. The official Cisco advisory confirms the following:
- Cisco Unified CCX versions prior to the fixed releases listed in the advisory are vulnerable.
- The vulnerability is present in default deployments where the Java RMI process is enabled and accessible.
- Other Cisco contact center products such as Packaged CCE and Unified CCE are not affected by this specific issue.
Organizations must consult the Cisco advisory (see references) for exact affected and fixed version numbers, as these may vary based on deployment and release track.
Vendor Security History
Cisco has experienced several critical vulnerabilities in its unified communications and infrastructure products in 2025. Notable recent issues include unauthenticated remote code execution in Cisco Identity Services Engine (CVSS 10.0) and static SSH credential flaws in Unified Communications Manager. Cisco's PSIRT typically publishes advisories and patches in response, but the frequency and severity of recent disclosures highlight ongoing architectural and security challenges in their enterprise product lines.
