Cisco Unified Intelligence Center Arbitrary File Upload Vulnerability
TL;DR 📌
Cisco Unified Intelligence Center (CUIC) contains an authenticated arbitrary file upload vulnerability (CVE-2025-20274). An attacker with valid Report Designer (or higher) credentials could upload files, potentially execute commands and escalate to root. Fixed software is available; there are no workarounds.
What happened 🕵️♂️
Improper validation of files uploaded via the CUIC web management interface allows an authenticated remote attacker to upload arbitrary files. A successful exploit can store malicious files and execute arbitrary OS commands; Cisco raised the Security Impact Rating because an attacker could elevate privileges to root. Exploitation requires valid credentials with at least the Report Designer role. Cisco PSIRT is not aware of any public announcements or active malicious use.
Affected products 🖥️
- Cisco Unified Intelligence Center (all configurations; used in Packaged CCE and Unified CCE)
- Cisco Unified Contact Center Express (Unified CCX) — because it includes CUIC in the software bundle
Products confirmed NOT vulnerable: Cisco Finesse.
Fixed software 🔧
Upgrade to the first fixed release in your train (or later):
| Release / Product | First Fixed Release | Notes |
|---|---|---|
| 12.5 | 12.5(1) SU ES05 | |
| 12.6 | 12.6(2) ES05 | |
| 15 | Not vulnerable. | |
| 12.5(1)SU3 and earlier | Migrate to a fixed release. | |
| 1.0 | Initial public release. |
Workarounds 🧯
There are no workarounds that address this vulnerability.
Risk in context 🎯
- CVE: CVE-2025-20274
- CVSS v3.1 Base Score: 6.3 (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) — Medium severity
- Exposure drivers: network-accessible web interface (AV:N), but exploitation requires authenticated access with at least Report Designer privileges (PR:L).
- Impact: Confidentiality/integrity/availability impacts are low per CVSS, but Cisco raised the Security Impact Rating because successful exploitation can lead to root privilege escalation, increasing the operational risk on affected systems.
- Public exploitation: PSIRT is not aware of public announcements or active malicious use.
Fast facts ⚡
- Advisory ID: cisco-sa-cuis-file-upload-UhNEtStm
- Published: 2025-07-16
- Vulnerability type: Arbitrary file upload → remote command execution / privilege escalation potential
- Authentication: Required (Report Designer or higher)
- Workarounds: None
- Fix: Software updates available (see Fixed software section)
For leadership 🧭
Plain-English risk rating: Medium (CVSS 6.3). The vulnerability is exploitable over the network but requires valid credentials for a user with at least Report Designer privileges. Exposure is highest where CUIC is reachable by untrusted networks or where many users hold elevated reporting roles. Although the CVSS impact components are Low, Cisco raised the Security Impact Rating because exploitation can lead to root escalation. Remediation ask: apply the vendor-provided updates within 30 days (sooner if CUIC is internet-accessible or credentials for elevated roles are widely distributed). Operational impact and change risk: brief maintenance window to upgrade CUIC/CCX software; minimal config drift expected. Now: inventory CUIC and Unified CCX instances, identify versions and whether CUIC is internet-facing, and audit accounts with Report Designer (or higher). Next: schedule and apply the indicated fixed releases (or migrate CCX 12.5.x to a fixed release) within 30 days. Later: review role assignments and reduce number of high-privilege reporting accounts; include CUIC in regular vulnerability patching cadence.
Note: Cisco PSIRT reports no known public exploitation; there are no workarounds.