About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
CVSS Score: 9.8 (CVSS v3.1)
Identifier: CVE-2025-20354
Exploit or Proof of Concept (PoC): No
Update: Cisco has published a security advisory for CVE-2025-20354 and released fixed software versions for affected Unified CCX deployments. Administrators must update to the corrected release immediately. The patched versions are available in Cisco's official advisory at: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cc-unauth-rce-QeN8h7mQ
Description:
Mitigation Recommendation:
Identify all instances of Cisco Unified CCX within your environment and confirm whether the RMI service (TCP port 1099) is accessible.
Apply the Cisco-provided security update immediately. Verify the installed build against the fixed versions listed in Cisco's advisory.
Restrict network access to the RMI service by blocking TCP port 1099 on firewalls and segmentation points. Allow access only from trusted management networks.
Disable any unnecessary or unused administration services on Unified CCX appliances.
Enable multifactor authentication for administrative interfaces and ensure role-based access controls are enforced.
Monitor network logs and intrusion detection systems for connections to TCP/1099 or other unusual traffic targeting Unified CCX systems.
Investigate for signs of compromise such as new or modified files within CCX directories, unexpected processes spawned by CCX services, or unauthorized configuration changes.
If compromise is suspected, isolate affected systems, reset all relevant credentials, reimage or rebuild servers from known good sources, and perform a full forensic review.