CVE-2025-20354
Published: 05 November 2025
Summary
CVE-2025-20354 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Cisco Unified Contact Center Express. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-8 (Identification and Authentication (Non-organizational Users)) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely patching of the improper authentication flaw in the Java RMI process to prevent unauthenticated file uploads and RCE.
Requires identification and authentication for non-organizational users or remote processes, preventing unauthenticated access to the vulnerable RMI features.
Enforces validation of information inputs to block unrestricted uploads of dangerous files through the Java RMI process.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of public-facing Java RMI service for arbitrary file upload leading to OS command execution (T1190); directly enables root privilege escalation via exploitation (T1068).
NVD Description
A vulnerability in the Java Remote Method Invocation (RMI) process of Cisco Unified CCX could allow an unauthenticated, remote attacker to upload arbitrary files and execute arbitrary commands with root permissions on an affected system. This vulnerability is due to…
more
improper authentication mechanisms that are associated to specific Cisco Unified CCX features. An attacker could exploit this vulnerability by uploading a crafted file to an affected system through the Java RMI process. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system and elevate privileges to root.
Deeper analysisAI
CVE-2025-20354 is a critical vulnerability in the Java Remote Method Invocation (RMI) process of Cisco Unified CCX, arising from improper authentication mechanisms associated with specific features. Published on 2025-11-05, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The flaw allows an unauthenticated, remote attacker to upload arbitrary files to an affected system.
An unauthenticated, remote attacker can exploit the vulnerability by uploading a crafted file through the Java RMI process. Successful exploitation enables the attacker to execute arbitrary commands on the underlying operating system and elevate privileges to root.
The Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cc-unauth-rce-QeN8h7mQ provides details on affected versions and recommended mitigations.
Details
- CWE(s)