TL;DR 📌

Multiple critical vulnerabilities have been identified in Cisco Unified Contact Center Express (Unified CCX) that could allow unauthenticated remote attackers to execute arbitrary commands and bypass authentication. Immediate action is required to mitigate these risks.

What happened 🕵️‍♂️

Cisco has disclosed multiple vulnerabilities in the Java Remote Method Invocation (RMI) process of Cisco Unified Contact Center Express. These vulnerabilities could allow an unauthenticated, remote attacker to upload arbitrary files, bypass authentication, execute arbitrary commands, and elevate privileges to root. The vulnerabilities are not dependent on one another, meaning each can be exploited independently.

TL;DR 📌

Multiple vulnerabilities have been identified in Cisco Contact Center products, allowing authenticated attackers to potentially disclose sensitive information, execute arbitrary commands, and elevate privileges. The highest CVSS score is 6.5, indicating a medium risk. Users are advised to upgrade to fixed software releases as there are no available workarounds.

What happened 🕵️‍♂️

Cisco has disclosed multiple vulnerabilities affecting its Contact Center products, including Cisco Unified Contact Center Express (Unified CCX), Cisco Unified Contact Center Enterprise (Unified CCE), Cisco Packaged Contact Center Enterprise (Packaged CCE), and Cisco Unified Intelligence Center (CUIC). These vulnerabilities can be exploited by authenticated remote attackers to disclose sensitive information, upload and execute arbitrary files, and elevate privileges to root. Successful exploitation requires valid user credentials.

TL;DR 📌

• A vulnerability in the file opening process of Cisco Unified Contact Center Express (Unified CCX) Editor could allow an unauthenticated attacker to execute arbitrary code on an affected device. This vulnerability is due to insecure deserialization of Java objects by the affected software. An attacker could exploit this vulnerability by persuading an authenticated, local user to open a crafted .aef…
• No fixed release listed yet; apply mitigations and monitor.
• Workarounds are documented in the advisory.
• CVEs: CVE-2025-20275.

What happened 🕵️‍♂️

A vulnerability in the file opening process of Cisco Unified Contact Center Express (Unified CCX) Editor could allow an unauthenticated attacker to execute arbitrary code on an affected device.

TL;DR 📌

• Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack or execute arbitrary code on an affected device. To exploit these vulnerabilities, the attacker must have valid administrative credentials. For more information about these vulnerabilities, see the Details ["#details"] section of…
• No fixed release listed yet; apply mitigations and monitor.
• Workarounds are documented in the advisory.
• CVEs: CVE-2025-20276, CVE-2025-20277, CVE-2025-20279.

What happened 🕵️‍♂️

The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities.

TL;DR 📌

• A vulnerability in the web-based chat interface of Cisco Customer Collaboration Platform (CCP), formerly Cisco SocialMiner, could allow an unauthenticated, remote attacker to persuade users to disclose sensitive data. This vulnerability is due to improper sanitization of HTTP requests that are sent to the web-based chat interface. An attacker could exploit this vulnerability by sending crafted HTTP requests to the…
• No fixed release listed yet; apply mitigations and monitor.
• Workarounds are documented in the advisory.
• CVEs: CVE-2025-20129.

What happened 🕵️‍♂️

A vulnerability in the web-based chat interface of Cisco Customer Collaboration Platform (CCP), formerly Cisco SocialMiner, could allow an unauthenticated, remote attacker to persuade users to disclose sensitive data.

TL;DR 📌

• A vulnerability in the web-based management interface of Cisco Unified Intelligence Center could allow an unauthenticated, remote attacker to conduct a server-side request forgery (SSRF) attack through an affected device. This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful…
• No fixed release listed yet; apply mitigations and monitor.
• Workarounds are documented in the advisory.
• CVEs: CVE-2025-20288.

What happened 🕵️‍♂️

A vulnerability in the web-based management interface of Cisco Unified Intelligence Center could allow an unauthenticated, remote attacker to conduct a server-side request forgery (SSRF) attack through an affected device.

TL;DR 📌

Cisco Unified Intelligence Center (CUIC) contains an authenticated arbitrary file upload vulnerability (CVE-2025-20274). An attacker with valid Report Designer (or higher) credentials could upload files, potentially execute commands and escalate to root. Fixed software is available; there are no workarounds.

What happened 🕵️‍♂️

Improper validation of files uploaded via the CUIC web management interface allows an authenticated remote attacker to upload arbitrary files. A successful exploit can store malicious files and execute arbitrary OS commands; Cisco raised the Security Impact Rating because an attacker could elevate privileges to root. Exploitation requires valid credentials with at least the Report Designer role. Cisco PSIRT is not aware of any public announcements or active malicious use.