Cyber Resilience

CVE-2025-20274

Medium

Published: 16 July 2025

Published
16 July 2025
Modified
22 July 2025
KEV Added
Patch
CVSS Score v3.1 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0096 76.9th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20274 is a medium-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Cisco Unified Contact Center Express. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2025-20274 affects the web-based management interface of Cisco Unified Intelligence Center. The vulnerability stems from improper validation of files uploaded through this interface, enabling an authenticated remote attacker to upload arbitrary files to the device. Published on 2025-07-16, it has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

An attacker must possess valid credentials for a user account with at least the Report Designer role to exploit this issue. Upon successful exploitation, the attacker can store malicious files on the system and execute arbitrary commands on the operating system. Cisco raised the Security Impact Rating (SIR) to High due to the potential for privilege escalation to root.

The official Cisco Security Advisory provides details on mitigation and patches: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cuis-file-upload-UhNEtStm.

EU & UK References

Vulnerability details

A vulnerability in the web-based management interface of Cisco Unified Intelligence Center could allow an authenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to improper validation of files that are uploaded to the…

more

web-based management interface. An attacker could exploit this vulnerability by uploading arbitrary files to an affected device. A successful exploit could allow the attacker to store malicious files on the system and execute arbitrary commands on the operating system. The Security Impact Rating (SIR) of this advisory has been raised to High because an attacker could elevate privileges to root. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Report Designer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload in web management interface directly enables remote exploitation of public-facing app (T1190), arbitrary command execution via uploaded files (T1505.003 web shell), and root privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-20354Same product: Cisco Unified Contact Center Express
CVE-2026-20098Same vendor: Cisco
CVE-2025-20358Same product: Cisco Unified Contact Center Express
CVE-2025-20333Same vendor: Cisco
CVE-2025-13536Shared CWE-434
CVE-2025-12968Shared CWE-434
CVE-2025-11755Shared CWE-434
CVE-2025-20124Same vendor: Cisco
CVE-2025-20125Same vendor: Cisco
CVE-2025-20337Same vendor: Cisco

Affected Assets

cisco
unified intelligence center
10.5\(1\), 11.0\(1\), 11.0\(2\), 11.0\(3\), 11.5\(1\)
cisco
unified contact center express
10.5\(1\), 10.5\(1\)su1, 10.5\(1\)su1es10, 10.6\(1\), 10.6\(1\)su1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of uploaded file content and type, which is the root cause (improper validation) enabling arbitrary file upload and command execution.

preventdetect

Requires malicious-code scanning and blocking of uploaded files before they can be stored or executed on the system.

prevent

Enforces least functionality by disabling or restricting the web interface file-upload capability and permitted file types for the Report Designer role.

References