6 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Unauthenticated Java RMI Unrestricted File Upload / Remote Code Execution in Cisco Unified Contact Center Express (CCX)
CVSS Score: 9.8 (CVSS v3.1)
Identifier: CVE-2025-20354
Exploit or Proof of Concept (PoC): No
Update: Cisco has published a security advisory for CVE-2025-20354 and released fixed software versions for affected Unified CCX deployments. Administrators must update to the corrected release immediately. The patched versions are available in Cisco's official advisory at: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cc-unauth-rce-QeN8h7mQ
Description:
CVE-2025-20354 is a critical vulnerability in Cisco Unified Contact Center Express (Unified CCX) related to its Java Remote Method Invocation (RMI) interface. Due to improper input validation and authentication enforcement, an attacker can invoke a specific RMI endpoint that allows unrestricted file upload. The malicious file can then be executed by the system, resulting in complete compromise of the server.
This flaw is network-exploitable and requires no authentication or user interaction. If the RMI service is exposed to untrusted networks, attackers can gain remote system-level access, potentially compromising both the CCX server and any integrated call center systems or databases.
Mitigation Recommendation:
Identify all instances of Cisco Unified CCX within your environment and confirm whether the RMI service (TCP port 1099) is accessible.
Apply the Cisco-provided security update immediately. Verify the installed build against the fixed versions listed in Cisco's advisory.
Restrict network access to the RMI service by blocking TCP port 1099 on firewalls and segmentation points. Allow access only from trusted management networks.
Disable any unnecessary or unused administration services on Unified CCX appliances.
Enable multifactor authentication for administrative interfaces and ensure role-based access controls are enforced.
Monitor network logs and intrusion detection systems for connections to TCP/1099 or other unusual traffic targeting Unified CCX systems.
Investigate for signs of compromise such as new or modified files within CCX directories, unexpected processes spawned by CCX services, or unauthorized configuration changes.
If compromise is suspected, isolate affected systems, reset all relevant credentials, reimage or rebuild servers from known good sources, and perform a full forensic review.
