Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-20113

CVE-2025-20113: Cisco Unified Intelligence Center Privilege Escalation

CVE-2025-20113 is a privilege escalation vulnerability in Cisco Unified Intelligence Center that lets authenticated attackers gain Administrator privileges. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-20113 Overview

CVE-2025-20113 is a privilege escalation vulnerability in Cisco Unified Intelligence Center and Cisco Unified Contact Center Express. An authenticated, remote attacker can elevate privileges to Administrator for a limited set of functions by submitting crafted API or HTTP requests. The flaw is rooted in insufficient server-side validation of user-supplied parameters, classified under [CWE-602] (Client-Side Enforcement of Server-Side Security).

Successful exploitation allows attackers to access, modify, or delete data beyond their intended access level, including potentially sensitive information stored on the affected system. The vulnerability affects multiple versions across both product lines, spanning releases 10.5(1) through 12.6(2).

Critical Impact

An authenticated low-privileged user can elevate to Administrator-level access on a subset of functions, exposing sensitive contact center reporting data and configuration information.

Affected Products

  • Cisco Unified Intelligence Center versions 10.5(1) through 12.6(2)
  • Cisco Unified Contact Center Express versions 8.5(1) through 12.5(1)SU3
  • Associated Engineering Specials (ES) and Service Updates (SU) across the listed versions

Discovery Timeline

  • 2025-05-21 - CVE-2025-20113 published to NVD
  • 2025-07-22 - Last updated in NVD database

Technical Details for CVE-2025-20113

Vulnerability Analysis

The vulnerability resides in how Cisco Unified Intelligence Center processes API and HTTP requests. The application relies on client-side enforcement of access controls rather than properly validating user-supplied parameters on the server. An attacker with valid low-privileged credentials can manipulate request parameters to invoke administrative functionality not authorized for their role.

The affected components serve as the reporting and analytics layer for Cisco's contact center deployments. They handle sensitive operational data including call records, agent performance metrics, and customer interaction details. Privilege escalation in this context exposes confidential business and customer data.

Root Cause

The root cause is [CWE-602] Client-Side Enforcement of Server-Side Security. The application trusts parameters supplied by authenticated clients without performing adequate authorization checks on the server side. When a user submits a request, the server fails to validate whether the requesting account possesses the privileges required for the requested action.

This design flaw allows role-based access controls to be bypassed by directly crafting HTTP or API requests that mimic those issued by Administrator accounts. The server processes these requests as if they originated from a privileged session.

Attack Vector

Exploitation requires the attacker to hold valid credentials on the target system. The attacker authenticates normally, then issues a modified API or HTTP request targeting functionality reserved for Administrators. The request parameters are tailored to invoke administrative actions or retrieve restricted data.

No user interaction is required beyond the attacker's own authenticated session. The attack is conducted entirely over the network, making it viable from any host with access to the management interface. Refer to the Cisco Security Advisory for vendor-specific technical details.

Detection Methods for CVE-2025-20113

Indicators of Compromise

  • Unexpected administrative actions performed under low-privileged user accounts in Unified Intelligence Center audit logs
  • API or HTTP requests from non-administrative sessions invoking endpoints typically restricted to Administrator role
  • Anomalous data access patterns, including bulk retrieval of report data, by accounts without Administrator privileges
  • Unauthorized modification or deletion of report definitions, dashboards, or configuration objects

Detection Strategies

  • Review web server and application logs for HTTP requests targeting administrative API endpoints from sessions associated with non-administrative user roles
  • Correlate authentication events with subsequent privileged actions to identify role-action mismatches
  • Monitor for parameter tampering patterns in API request bodies and query strings on Unified Intelligence Center endpoints

Monitoring Recommendations

  • Enable detailed audit logging on Cisco Unified Intelligence Center and forward logs to a centralized SIEM for correlation
  • Establish baselines for normal user activity per role and alert on deviations such as privilege boundary crossings
  • Track failed and successful authorization events on sensitive API paths and alert on anomalous volume

How to Mitigate CVE-2025-20113

Immediate Actions Required

  • Apply the fixed software releases identified in the Cisco Security Advisory for Unified Intelligence Center and Unified Contact Center Express
  • Audit all user accounts and remove inactive or unnecessary low-privileged accounts that could be leveraged for authenticated exploitation
  • Rotate credentials for any accounts suspected of compromise and enforce strong password policies
  • Review recent administrative changes and report access for indicators of unauthorized activity

Patch Information

Cisco has released fixed software for affected releases of Unified Intelligence Center and Unified Contact Center Express. Refer to the Cisco Security Advisory cisco-sa-cuis-priv-esc-3Pk96SU4 for the specific fixed release matrix mapping each affected version to its remediated build.

Workarounds

  • No vendor workarounds are documented; upgrading to a fixed release is the supported remediation path
  • Restrict network access to the Unified Intelligence Center management interface using firewall rules or access control lists to limit exposure to trusted administrative networks
  • Implement least-privilege account assignment, ensuring users hold only the minimum role required for their function
bash
# Example: Restrict management interface access via ACL on upstream firewall
# Allow only the administrative subnet to reach the Unified Intelligence Center web interface
access-list 110 permit tcp 10.10.20.0 0.0.0.255 host <CUIC_IP> eq 443
access-list 110 deny tcp any host <CUIC_IP> eq 443 log
access-list 110 permit ip any any

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne