CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical Cisco UCCX RMI Vulnerability Exploitable for Root Command Execution

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A critical vulnerability in Cisco Unified Contact Center Express (UCCX) allows unauthenticated attackers to execute commands with root privileges. The flaw, CVE-2025-20354, resides in the Java Remote Method Invocation (RMI) process. Cisco has released patches to address this issue. The UCCX platform is a software solution for managing customer interactions in call centers. The vulnerability enables attackers to upload crafted files and execute arbitrary commands on the underlying operating system. Cisco also patched a critical flaw in the CCX Editor application, which allows unauthenticated attackers to bypass authentication and execute arbitrary scripts with admin permissions. Updates are available for affected versions.

Timeline

  1. 06.11.2025 15:31 1 articles · 4d ago

    Cisco patches critical UCCX RMI vulnerability enabling root command execution

    Cisco has released security updates to patch a critical vulnerability in the Unified Contact Center Express (UCCX) software. The flaw, CVE-2025-20354, allows unauthenticated attackers to execute commands with root privileges. The vulnerability resides in the Java RMI process and can be exploited by uploading crafted files. Cisco has also patched a critical flaw in the CCX Editor application, which allows unauthenticated attackers to bypass authentication and execute arbitrary scripts with admin permissions. The affected versions of Cisco UCCX and the corresponding fixed releases are: - 12.5 SU3 and earlier: 12.5 SU3 ES07 - 15.0: 15.0 ES01

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat. Nearly 50,000 Cisco ASA and FTD appliances were vulnerable to actively exploited flaws. The vulnerabilities CVE-2025-20333 and CVE-2025-20362 enable arbitrary code execution and access to restricted URL endpoints. The Shadowserver Foundation discovered over 48,800 internet-exposed ASA and FTD instances still vulnerable to the flaws. The majority of vulnerable devices are located in the United States, followed by the United Kingdom, Japan, Germany, Russia, Canada, and Denmark. The Shadowserver Foundation's data is as of September 29, indicating a lack of response to the ongoing exploitation activity. Greynoise had warned on September 4 about suspicious scans targeting Cisco ASA devices, indicating upcoming undocumented flaws. CISA's emergency directive gave 24 hours to FCEB agencies to identify and upgrade vulnerable Cisco ASA and FTD instances. CISA advised that ASA devices reaching their end of support should be disconnected from federal networks by the end of September. The U.K. NCSC reported that the hackers deployed Line Viper shellcode loader malware and RayInitiator GRUB bootkit. Cisco disclosed a new attack variant targeting devices running Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software releases susceptible to CVE-2025-20333 and CVE-2025-20362. The new attack can cause unpatched devices to unexpectedly reload, leading to denial-of-service (DoS) conditions. Cisco credited security researcher Jahmel Harris for discovering and reporting the vulnerabilities. Cisco addressed two critical security flaws in Unified Contact Center Express (Unified CCX) that could permit an unauthenticated, remote attacker to upload arbitrary files, bypass authentication, execute arbitrary commands, and elevate privileges to root. Cisco has shipped patches for a high-severity DoS bug (CVE-2025-20343) in Identity Services Engine (ISE) that could allow an unauthenticated, remote attacker to cause a susceptible device to restart unexpectedly. Cisco warned that vulnerabilities CVE-2025-20362 and CVE-2025-20333 are now being exploited to force ASA and FTD firewalls into reboot loops. Shadowserver is currently tracking over 34,000 internet-exposed ASA and FTD instances vulnerable to CVE-2025-20333 and CVE-2025-20362 attacks, down from nearly 50,000 unpatched firewalls in September. Cisco disclosed new vulnerabilities in certain Cisco ASA 5500-X devices running Cisco Secure Firewall ASA software with VPN web services enabled, discovered in collaboration with several government agencies. Cisco attributed these attacks to the same state-sponsored group behind the 2024 ArcaneDoor campaign and urged customers to apply the available software fixes. On November 5, 2025, Cisco became aware of a new attack variant targeting devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases affected by the same vulnerabilities, causing unpatched devices to unexpectedly reload, leading to denial of service (DoS) conditions. Cisco released security updates to patch critical security flaws in its Contact Center software, which could enable attackers to bypass authentication (CVE-2025-20358) and execute commands with root privileges (CVE-2025-20354).

Open in new tab