Critical Cisco UCCX flaw lets attackers run commands as root

Critical Cisco UCCX flaw lets attackers run commands as root By Sergiu Gatlan November 6, 2025 08:31 AM 0 Cisco has released security updates to patch a critical vulnerability in the Unified Contact Center Express (UCCX) software, which could enable attackers to execute commands with root privileges. The Cisco UCCX platform, described by the company as a "contact center in a box," is a software solution for managing customer interactions in call centers, supporting up to 400 agents. Tracked as CVE-2025-20354, this security flaw was discovered in the Java Remote Method Invocation (RMI) process of Cisco Unified CCX by security researcher Jahmel Harris, allowing unauthenticated attackers to execute arbitrary commands remotely with root permissions. "This vulnerability is due to improper authentication mechanisms that are associated to specific Cisco Unified CCX features," Cisco explained in a Wednesday security advisory. "An attacker could exploit this vulnerability by uploading a crafted file to an affected system through the Java RMI process. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system and elevate privileges to root." Yesterday, Cisco also patched a critical security flaw in the Contact Center Express (CCX) Editor application of Cisco UCCX, which allows unauthenticated attackers to remotely bypass authentication and create and execute arbitrary scripts with admin permissions. This can be exploited by tricking the CCX Editor app into believing the authentication process was successful after redirecting the auth flow to a malicious server. IT admins are advised to upgrade their Cisco UCCX software to one of the fixed releases listed in the table below as soon as possible. Cisco Unified CCX Release First Fixed Release 12.5 SU3 and earlier 12.5 SU3 ES07 15.0 15.0 ES01 While the vulnerabilities affect Cisco Unified CCX software regardless of device configuration, the Cisco Product Security Incident Response Team (PSIRT) has yet to find evidence of publicly available exploit code or that the two critical security flaws have been exploited in the wild. On Wednesday, the tech giant also warned of a high-severity vulnerability (CVE-2025-20343) impacting its Cisco Identity Services Engine (ISE) identity-based network access control and policy enforcement software. This vulnerability allows unauthenticated, remote attackers to trigger a denial-of-service (DoS) condition, causing unpatched appliances to restart unexpectedly. Four other security flaws in Cisco Contact Center products (CVE-2025-20374, CVE-2025-20375, CVE-2025-20376, and CVE-2025-20377) can be exploited by attackers with high-level privileges to gain root permissions, execute arbitrary commands, access sensitive information, or download arbitrary files. Earlier this year, Cisco addressed a Cisco ISE vulnerability that also allowed threat actors to run commands as root on vulnerable appliances, months after patching another ISE flaw that enabled root privilege escalation. In September, CISA issued a new emergency directive ordering U.S. federal agencies to secure Cisco firewall devices on their networks against two flaws (CVE-2025-20333 and CVE-2025-20362) that have been exploited in zero-day attacks. Days later, the threat monitoring service Shadowserver found over 50,000 Internet-exposed Cisco ASA and FTD firewall appliances that were left unpatched. .ia_ad { background-color: #f0f6ff; width: 95%; max-width: 800px; margin: 15px auto; border-radius: 8px; border: 1px solid #d6ddee; display: flex; align-items: stretch; padding: 0; overflow: hidden; } .ia_lef { flex: 1; max-width: 200px; height: auto; display: flex; align-items: stretch; } .ia_lef a { display: flex; width: 100%; height: 100%; } .ia_lef a img { width: 100%; height: 100%; border-radius: 8px 0 0 8px; margin: 0; display: block; } .ia_rig { flex: 2; padding: 10px; display: flex; flex-direction: column; justify-content: center; } .ia_rig h2 { font-size: 17px !important; font-weight: 700; color: #333; line-height: 1.4; font-family: Georgia, "Times New Roman", Times, serif; margin: 0 0 14px 0; } .ia_rig p { font-weight: bold; font-size: 14px; margin: 0 0 clamp(6px, 2vw, 14px) 0; } .ia_button { background-color: #FFF; border: 1px solid #3b59aa; color: black; text-align: center; text-decoration: none; border-radius: 8px; display: inline-block; font-size: 16px; font-weight: bold; cursor: pointer; padding: 10px 20px; width: fit-content; } .ia_button a { text-decoration: none; color: inherit; display: block; } @media (max-width: 600px) { .ia_ad { flex-direction: column; align-items: center; } .ia_lef { max-width: 100%; } .ia_lef a img { border-radius: 8px 8px 0 0; } .ia_rig { padding: 15px; width: 100%; } .ia_button { width: 100%; margin: 0px auto; } } The 2026 CISO Budget Benchmark It's budget season! Over 300 CISOs and security leaders have shared how they're planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026. Learn how top leaders are turning investment into measurable impact. Download Now Related Articles: Nearly 50,000 Cisco firewalls vulnerable to actively exploited flawsOver 1,400 CrushFTP servers vulnerable to actively exploited bugOver 1,200 SAP NetWeaver servers vulnerable to actively exploited flawMaximum severity GoAnywhere MFT flaw exploited as zero dayCISA exposes malware kits deployed in Ivanti EPMM attacks