Introduction
Attackers can gain administrative script execution on Cisco Unified Contact Center Express (CCX) servers without authentication, putting sensitive customer workflows and data at risk. The vulnerability enables remote code execution through the CCX Editor, a core tool for managing contact center call flows in thousands of enterprise deployments worldwide.
About Cisco Unified CCX: Cisco is a global networking and communications leader with a dominant position in enterprise infrastructure. Unified CCX is a widely adopted contact center platform used by organizations of all sizes to manage customer interactions, making vulnerabilities in this product highly impactful across sectors.
Technical Information
CVE-2025-20358 is caused by missing authentication for critical functions (CWE-306) in the protocol between the Cisco Unified CCX Editor and the Unified CCX server. When a user launches the CCX Editor and initiates authentication, the client sends credentials and requests to the configured server. The editor does not adequately verify that the server responding is the legitimate Unified CCX server. This lack of mutual authentication allows an attacker to redirect the authentication flow—using techniques such as DNS poisoning or man-in-the-middle attacks—to a malicious server under their control.
Once the CCX Editor connects to the attacker's server, the attacker can send responses that convince the editor authentication has succeeded. The editor then grants administrative permissions for script creation and execution. Scripts created in this way are executed on the Unified CCX server as an internal non-root user. This provides a foothold for further compromise, including potential privilege escalation or lateral movement, depending on the environment.
No public code snippets or protocol diagrams are available for this vulnerability as of the disclosure date.
Affected Systems and Versions
- Cisco Unified Contact Center Express (CCX) Editor application
- Specific affected version numbers are not listed in the public advisory as of the disclosure date
- Vulnerability is present in configurations where CCX Editor communicates with Unified CCX server and relies on the default authentication mechanism
Vendor Security History
Cisco has disclosed multiple critical vulnerabilities in its enterprise product lines in 2025, including:
- CVE-2025-20333, CVE-2025-20362, and CVE-2025-20363 in Secure Firewall products (with evidence of active exploitation)
- CVE-2025-20275 and CVE-2025-20276 in Unified CCX and related platforms
- CVE-2025-20354 and CVE-2025-20355 in Unified CCX
Cisco typically issues coordinated advisories and patches, but the recurrence of critical flaws highlights ongoing challenges in secure development and testing for complex enterprise systems.
