CVE-2025-20358
Published: 05 November 2025
Summary
CVE-2025-20358 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Cisco Unified Contact Center Express. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and IA-9 (Service Identification and Authentication).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires the CCX Editor to uniquely identify and authenticate the Unified CCX server as a service before communications, preventing redirection to and acceptance of a malicious server during authentication flow.
Protects the authenticity of communication sessions between the CCX Editor and server, blocking tricks that make the editor believe authentication succeeded against a malicious server.
Prohibits administrative actions like script creation and execution without identification and authentication, directly countering the missing authentication for critical functions in this vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables unauthenticated remote exploitation of a network-accessible Cisco Unified CCX server (T1190, T1210), granting administrative permissions to create and execute arbitrary scripts on the OS (T1059).
NVD Description
A vulnerability in the Contact Center Express (CCX) Editor application of Cisco Unified CCX could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative permissions pertaining to script creation and execution. This vulnerability is due to improper authentication…
more
mechanisms in the communication between the CCX Editor and an affected Unified CCX server. An attacker could exploit this vulnerability by redirecting the authentication flow to a malicious server and tricking the CCX Editor into believing the authentication was successful. A successful exploit could allow the attacker to create and execute arbitrary scripts on the underlying operating system of an affected Unified CCX server, as an internal non-root user account.
Deeper analysisAI
CVE-2025-20358 is a high-severity vulnerability (CVSS 9.4) in the Contact Center Express (CCX) Editor application of Cisco Unified CCX, stemming from improper authentication mechanisms in the communication between the CCX Editor and an affected Unified CCX server. This flaw, classified under CWE-306 (Missing Authentication for Critical Function), enables an unauthenticated, remote attacker to bypass authentication entirely and gain administrative permissions related to script creation and execution on the server.
An attacker can exploit this vulnerability by redirecting the authentication flow to a malicious server and tricking the CCX Editor into accepting it as successful. No privileges, user interaction, or special access are required (AV:N/AC:L/PR:N/UI:N), allowing network-based exploitation with low complexity. Successful exploitation grants the attacker the ability to create and execute arbitrary scripts on the underlying operating system of the affected Unified CCX server, running under an internal non-root user account, potentially leading to high confidentiality and integrity impacts alongside limited availability disruption (C:H/I:H/A:L).
Cisco has published a security advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cc-unauth-rce-QeN8h7mQ providing details on the vulnerability, affected versions, and recommended mitigation steps.
Details
- CWE(s)