Forwarded from Taiwan Computer Network Crisis Management and Coordination Center: Cybersecurity Alert TWCERTCC-200-202511-00000003

[Content Description]
Cisco Unified Contact Center Express (Unified CCX) is a solution for enterprises to establish customer service centers, integrating multiple customer service channels such as voice, instant messaging, and email to improve customer service efficiency. Recently, Cisco released a critical cybersecurity vulnerability announcement (CVE-2025-20354, CVSS: 9.8 and CVE-2025-20358, CVSS: 9.4). CVE-2025-20354 is a remote code execution vulnerability, allowing unauthenticated attackers to upload arbitrary files on affected systems and execute arbitrary commands with root privileges. CVE-2025-20358 is an authentication bypass vulnerability, potentially allowing unauthenticated remote attackers to bypass authentication and gain administrative privileges related to script creation and execution.

[Affected Platforms]
Cisco Unified Contact Center Express 12.5 SU3 and earlier versions
Cisco Unified Contact Center Express 15.0

[Recommended Actions]
Please update to the following versions: Cisco Unified Contact Center Express 12.5 SU3 ES07 and later, or Cisco Unified Contact Center Express 15.0 ES01 and later.

[References]
1. https://www.twcert.org.tw/tw/cp-169-10496-00839-1.html