Multiple vulnerabilities in Cisco Unified Intelligence Center and Unified Contact Center Express
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2025-20113 CVE-2025-20114 |
| CWE-ID | CWE-602 CWE-639 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Cisco Unified Intelligence Center Server applications / DLP, anti-spam, sniffers Cisco Unified Contact Center Express Server applications / Web servers |
| Vendor | Cisco Systems, Inc |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Client-Side Enforcement of Server-Side Security
EUVDB-ID: #VU109644
Risk: Medium
CVSSv4.0: 5.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-20113
CWE-ID:
CWE-602 - Client-Side Enforcement of Server-Side Security
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient server-side validation of user-supplied parameters in API or HTTP requests. A remote user can access, modify, or delete data beyond the sphere of their intended access level.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCisco Unified Intelligence Center: 12.5 - 12.6
Cisco Unified Contact Center Express: - - 12.5(1)SU3
CPE2.3- cpe:2.3:a:cisco_systems:cisco_unified_intelligence_center:12.5:*:*:*:*:*:*:*
- cpe:2.3:a:cisco_systems:cisco_unified_intelligence_center:12.6:*:*:*:*:*:*:*
- cpe:2.3:a:cisco_systems:cisco_unified_contact_center_express:*:*:*:*:*:*:*:*
- cpe:2.3:a:cisco_systems:cisco_unified_contact_center_express:12.5(1)SU3:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Authorization bypass through user-controlled key
EUVDB-ID: #VU109645
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-20114
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient validation of user-supplied parameters in API requests. A remote user can perform insecure direct object reference attack and gain access to specific data that is associated with different users on the affected system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCisco Unified Intelligence Center: 12.5 - 12.6
Cisco Unified Contact Center Express: - - 12.5(1)SU3
CPE2.3- cpe:2.3:a:cisco_systems:cisco_unified_intelligence_center:12.5:*:*:*:*:*:*:*
- cpe:2.3:a:cisco_systems:cisco_unified_intelligence_center:12.6:*:*:*:*:*:*:*
- cpe:2.3:a:cisco_systems:cisco_unified_contact_center_express:*:*:*:*:*:*:*:*
- cpe:2.3:a:cisco_systems:cisco_unified_contact_center_express:12.5(1)SU3:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
