Security Intelligence
Loading table of contents...
At a glance: Cisco released patches for several products, including two critical-severity flaws affecting Cisco UCCX. No workarounds exist, patching required. An ARO has already been issued to relevant Field Effect MDR clients, with vulnerability details and remediation steps.
Threat summary
On November 5, 2025, Cisco released a round of security patches affecting several products. Updates were issued for:
- Multiple versions of Cisco Identity Services Engine
- Cisco Unified Contact Center Express (UCCX) versions 12.5 SU3 and earlier
- UCCX version 15.0
- Cisco Unified Intelligence Center versions 12.6 and earlier, and
- Unified Intelligence Center version 15.0.
Cisco also updated its September advisory for Cisco Secure ASA Software and Cisco Secure Firepower Threat Defense (FTD) Software, reporting ongoing exploitation of CVE-2025-20333 and CVE-2025-20362 through attack vectors that differ from those previously documented.
Out of those fixed on November 5, two flaws tracked as CVE-2025-20354 and CVE-2025-20358 received the most attention. Both are critical and could allow unauthenticated remote code execution and escalation of privileges to root. The flaws affect Cisco UCCX: a contact center platform used by small to medium-sized enterprises to manage customer interactions across voice, email, and web chat.
CVE-2025-20354
CVE-2025-20354 affects the Java Remote Method Invocation (RMI) service in UCCX, which facilitates remote communication between Java applications. The vulnerability is rated with a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10.
The flaw is remotely exploitable without authentication and is easy to execute. The worst-case scenario involves full system compromise and potential lateral movement within the network.
CVE-2025-20358
CVE-2025-20358 is a flaw in the CCX Editor component, which is used to create and manage call handling scripts.
The vulnerability is due to improper authentication handling between the CCX Editor and the server, which allows one to redirect the authentication flow to a malicious server and execute malicious scripts as an internal non-root user. It is rated with a CVSS score of 9.4. The impact includes unauthorized control over contact center workflows and privilege escalation.
No workarounds are available for either vulnerability, and no exploitation in the wild has been observed to date.
CVE-2025-20343 and other patched vulnerabilities
Another Cisco patch released on November 5 was CVE-2025-20343, a high-severity denial-of-service vulnerability in Identity Services Engine (ISE) that allows remote exploitation via malicious RADIUS requests, causing Cisco ISE to restart unexpectedly.
Cisco also addressed eight medium-severity vulnerabilities across ISE, ISE Passive Identity Connector (ISE-PIC), Unified Contact Center Express (UCCX), Unified Contact Center Enterprise (CCE), Packaged CCE, and Cisco Unified Intelligence Center (CUIC), with potential impact including file exfiltration, information disclosure, cross-site scripting, and privilege escalation.
Analyst insight
Security teams should confirm that vulnerable interfaces are not exposed to untrusted networks and review Cisco’s advisory to assess whether their deployments are affected.
Prioritized patching is recommended for CVE-2025-20354 and CVE-2025-20358 to reduce the risk of compromise. Where applicable, Field Effect MDR users will have already received an ARO regarding these flaws, with prioritized guidance to remediate the issue.
Limiting network access to the RMI and CCX Editor interfaces may further reduce exposure.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
.jpg)
.jpg)