Cisco Unified Contact Center Products Directory Traversal Vulnerability Allowing Arbitrary File Access

A directory traversal vulnerability has been identified in the web UI of Cisco Unified Contact Center Express (CCX) versions 12.5 SU3 and earlier, as well as 15.0, and Cisco Unified Contact Center Enterprise (CCE) and Packaged Contact Center Enterprise (Packaged CCE). This vulnerability allows an authenticated, remote attacker to access arbitrary files on the underlying operating system. The issue arises from insufficient input validation related to specific UI features, enabling attackers to send crafted requests that exploit this flaw. To successfully exploit this vulnerability, attackers must have valid administrative credentials.

Impact

Exploitation of this vulnerability could lead to unauthorized read access to arbitrary files on the affected system's operating system.

Remediation

Cisco has released software updates to address this vulnerability. Users are advised to upgrade to Cisco Unified CCX version 12.5 SU3 ES07 or 15.0 ES01. For Cisco Unified Intelligence Center, upgrade to version 15.0(01) ES202508.