Cyber Resilience

CVE-2025-20358

Critical

Published: 05 November 2025

Published
05 November 2025
Modified
07 November 2025
KEV Added
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0097 77.1th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20358 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Cisco Unified Contact Center Express. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and IA-9 (Service Identification and Authentication).

Deeper analysis

CVE-2025-20358 is a high-severity vulnerability (CVSS 9.4) in the Contact Center Express (CCX) Editor application of Cisco Unified CCX, stemming from improper authentication mechanisms in the communication between the CCX Editor and an affected Unified CCX server. This flaw, classified under CWE-306 (Missing Authentication for Critical Function), enables an unauthenticated, remote attacker to bypass authentication entirely and gain administrative permissions related to script creation and execution on the server.

An attacker can exploit this vulnerability by redirecting the authentication flow to a malicious server and tricking the CCX Editor into accepting it as successful. No privileges, user interaction, or special access are required (AV:N/AC:L/PR:N/UI:N), allowing network-based exploitation with low complexity. Successful exploitation grants the attacker the ability to create and execute arbitrary scripts on the underlying operating system of the affected Unified CCX server, running under an internal non-root user account, potentially leading to high confidentiality and integrity impacts alongside limited availability disruption (C:H/I:H/A:L).

Cisco has published a security advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cc-unauth-rce-QeN8h7mQ providing details on the vulnerability, affected versions, and recommended mitigation steps.

EU & UK References

Vulnerability details

A vulnerability in the Contact Center Express (CCX) Editor application of Cisco Unified CCX could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative permissions pertaining to script creation and execution. This vulnerability is due to improper authentication…

more

mechanisms in the communication between the CCX Editor and an affected Unified CCX server. An attacker could exploit this vulnerability by redirecting the authentication flow to a malicious server and tricking the CCX Editor into believing the authentication was successful. A successful exploit could allow the attacker to create and execute arbitrary scripts on the underlying operating system of an affected Unified CCX server, as an internal non-root user account.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Vulnerability enables unauthenticated remote exploitation of a network-accessible Cisco Unified CCX server (T1190, T1210), granting administrative permissions to create and execute arbitrary scripts on the OS (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-20354Same product: Cisco Unified Contact Center Express
CVE-2025-20274Same product: Cisco Unified Contact Center Express
CVE-2025-20352Same vendor: Cisco
CVE-2026-5944Same vendor: Cisco
CVE-2025-20337Same vendor: Cisco
CVE-2026-20127Same vendor: Cisco
CVE-2025-20363Same vendor: Cisco
CVE-2026-20131Same vendor: Cisco
CVE-2026-20129Same vendor: Cisco
CVE-2025-20393Same vendor: Cisco

Affected Assets

cisco
unified contact center express
15.0 · ≤ 12.5\(1\)_su03_es07

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires the CCX Editor to uniquely identify and authenticate the Unified CCX server as a service before communications, preventing redirection to and acceptance of a malicious server during authentication flow.

prevent

Protects the authenticity of communication sessions between the CCX Editor and server, blocking tricks that make the editor believe authentication succeeded against a malicious server.

prevent

Prohibits administrative actions like script creation and execution without identification and authentication, directly countering the missing authentication for critical functions in this vulnerability.

References