Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Critical

Cisco Unified CCX Java RMI Unauthenticated Root RCE

IdentifiersCVE-2025-20354CWE-434· Unrestricted Upload of File with…

CVE-2025-20354 is a critical vulnerability in the Java Remote Method Invocation (RMI) process of Cisco Unified Contact Center Express (Unified CCX). The flaw is caused by improper authentication associated with specific Unified CCX features, where certain RMI endpoints fail to enforce authentication. An unauthenticated remote attacker can send crafted RMI requests, typically to the exposed RMI service on TCP port 1099, to invoke file upload functionality and upload an arbitrary crafted file to the target system. Successful exploitation allows subsequent execution of arbitrary commands on the underlying operating system with root privileges.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation results in unauthenticated remote code execution on the affected Unified CCX appliance with root permissions. This gives an attacker full compromise of the system, including the ability to run arbitrary OS commands, modify or replace files, install malware or persistence mechanisms, access sensitive application and system data, and use the host as a pivot for further intrusion.

Mitigation

If you can’t patch tonight, do this now.

The available content states there are no workarounds for this vulnerability. Interim risk reduction is limited to restricting network access to the Java RMI interface, especially TCP port 1099, to trusted management paths only, and preventing exposure of the vulnerable service until patches can be applied.

Remediation

Patch, then assume compromise.

Apply Cisco's fixed software releases for Unified CCX. The provided content states fixes are available in Unified CCX 12.5 SU3 ES07 and 15.0 ES01, and that versions prior to the fixed releases are vulnerable. Upgrade affected deployments to the appropriate fixed release referenced in Cisco advisory cisco-sa-cc-unauth-rce-QeN8h7mQ.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Cisco SystemsUnified Ccxapplication
Cisco SystemsUnified Contact Center Expressapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

31 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

31 SOURCESView more in app
securityaffairsNews
Nov 7, 2025
Cisco fixes critical UCCX flaw allowing Root command execution

Critical unauthenticated remote vulnerability in Cisco Unified Contact Center Express (Unified CCX) Java RMI process that allows arbitrary file upload and arbitrary command execution, resulting in root-level code execution on the underlying OS.

Read more
register securityNews
Nov 6, 2025
Cisco warns of 'new attack variant' battering firewalls under exploit for 6 months

A critical remote code execution and privilege escalation vulnerability in Cisco Unified Contact Center Express (CCX) due to improper authentication in the Java RMI process, allowing unauthenticated attackers to upload files and execute commands as root.

Read more
help net securityNews
Nov 6, 2025
Cisco fixes critical UCCX flaws, patch ASAP! (CVE-2025-20358, CVE-2025-20354)

A critical unauthenticated remote code execution vulnerability in Cisco UCCX’s Java RMI process that allows crafted file upload leading to arbitrary command execution with root privileges.

Read more
the hacker newsNews
Nov 6, 2025
Cisco Warns of New Firewall Attack Exploiting CVE-2025-20333 and CVE-2025-20362

A critical Cisco Unified Contact Center Express (Unified CCX) Java RMI flaw enabling unauthenticated arbitrary file upload and arbitrary command execution with root privileges.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity23

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-20354
NVD
nvd.nist.gov/vuln/detail/CVE-2025-20354
MITRE CWE · CWE-434
Unrestricted Upload of File with Dangerous Type
Vendor Advisory
sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cc-unauth-rce-QeN8h7mQ