Cisco released patches for two critical vulnerabilities in its Unified Contact Center Express (CCX) that could allow attackers to bypass authentication and execute commands as root on the underlying system.
The company also warned today about a new attack variation targeting two previously patched vulnerabilities in its Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software. The flaws were exploited in the wild by a cyberespionage group tracked as UAT4356 or Storm-1849.
The two vulnerabilities in Unified CCX impact version 15.0, as well as versions 12.5 SU3 and earlier, regardless of configuration. The company released versions 15.0 ES01 and 12.5 SU3 ES07 to address these flaws and urged customers to install them.
Cisco Unified CCX is a contact center solution for midsize businesses with up to 400 agents. It performs automated call routing and interactive voice response, and it enables agents to interact with customers through multiple channels, including voice, web chat, email, and social media through a unified desktop client.
Authentication bypass and remote code execution
One of the flaws, tracked as CVE-2025-20354, is located in the Editor application and allows a remote attacker to bypass authentication and obtain the ability to create and execute scripts with administrative privileges. This vulnerability received a CVSS rating of 9.4 out of 10.
“This vulnerability is due to improper authentication mechanisms in the communication between the CCX Editor and an affected Unified CCX server,” the company said in its advisory. “An attacker could exploit this vulnerability by redirecting the authentication flow to a malicious server and tricking the CCX Editor into believing the authentication was successful.”
The second flaw, tracked as CVE-2025-20354, could allow an unauthenticated attacker to upload a specially crafted file to a vulnerable Cisco Unified CCX server through the Java Remote Method Invocation (RMI) process. This attack could result in the execution of commands on the underlying OS with root privileges. The CVSS severity rating for this flaw is 9.8.
While Cisco is not aware of any malicious exploitation of these flaws, users should deploy the patches as soon as possible as these are the type of flaws that attackers tend to adopt very quickly.
The company has also patched four medium severity flaws in Unified CCX, Cisco Unified Contact Center Enterprise (CCE), Cisco Packaged Contact Center Enterprise (CCE) and Cisco Unified Intelligence Center (UIC).
Tracked as CVE-2025-20374, CVE-2025-20375, CVE-2025-20376, and CVE-2025-20377, these flaws can lead to sensitive information disclosure, arbitrary file download, arbitrary command execution, and privilege escalation to root. However, to be exploited, they require authentication as a valid user.
New attack variant for ASA and FTD
Separately, Cisco warned that hackers have developed a new attack variant for CVE-2025-20333 and CVE-2025-20362, two actively exploited flaws in Cisco ASA and FTD originally patched in September. While the flaws were initially exploited for unauthorized access to VPN endpoints and remote code execution, the new attack variation can only lead to unexpected device reboots and denial-of-service conditions.