CVE-2025-20274
Published: 16 July 2025
Summary
CVE-2025-20274 is a medium-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Cisco Unified Contact Center Express. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2025-20274 affects the web-based management interface of Cisco Unified Intelligence Center. The vulnerability stems from improper validation of files uploaded through this interface, enabling an authenticated remote attacker to upload arbitrary files to the device. Published on 2025-07-16, it has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).
An attacker must possess valid credentials for a user account with at least the Report Designer role to exploit this issue. Upon successful exploitation, the attacker can store malicious files on the system and execute arbitrary commands on the operating system. Cisco raised the Security Impact Rating (SIR) to High due to the potential for privilege escalation to root.
The official Cisco Security Advisory provides details on mitigation and patches: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cuis-file-upload-UhNEtStm.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21714
Vulnerability details
A vulnerability in the web-based management interface of Cisco Unified Intelligence Center could allow an authenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to improper validation of files that are uploaded to the…
more
web-based management interface. An attacker could exploit this vulnerability by uploading arbitrary files to an affected device. A successful exploit could allow the attacker to store malicious files on the system and execute arbitrary commands on the operating system. The Security Impact Rating (SIR) of this advisory has been raised to High because an attacker could elevate privileges to root. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Report Designer.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload in web management interface directly enables remote exploitation of public-facing app (T1190), arbitrary command execution via uploaded files (T1505.003 web shell), and root privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of uploaded file content and type, which is the root cause (improper validation) enabling arbitrary file upload and command execution.
Requires malicious-code scanning and blocking of uploaded files before they can be stored or executed on the system.
Enforces least functionality by disabling or restricting the web interface file-upload capability and permitted file types for the Report Designer role.