Cisco Unified Intelligence Center Privilege Escalation Vulnerabilities (CVE-2025-20113 & CVE-2025-20114)

CVE = CVE-2025-20113 & CVE-2025-20114

Multiple vulnerabilities in Cisco Unified Intelligence Center could allow an authenticated, remote attacker to perform privilege escalation attacks on an affected system.

These vulnerabilities affect Cisco Unified Intelligence Center, regardless of device configuration, including if it is being used as part of the following Cisco solutions:

• Packaged Contact Center Enterprise (Packaged CCE)
• Unified Contact Center Enterprise (Unified CCE)

These vulnerabilities also affect Cisco Unified Contact Center Express (Unified CCX) because Cisco Unified CCX includes Cisco Unified Intelligence Center as part of its software bundle.

This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cuis-priv-esc-3Pk96SU4

VE-2025-20113: Cisco Unified Intelligence Center Privilege Escalation Vulnerability

A vulnerability in Cisco Unified Intelligence Center could allow an authenticated, remote attacker to elevate privileges to Administrator for a limited set of functions on an affected system.

This vulnerability is due to insufficient server-side validation of user-supplied parameters in API or HTTP requests. An attacker could exploit this vulnerability by submitting a crafted API or HTTP request to an affected system. A successful exploit could allow the attacker to access, modify, or delete data beyond the sphere of their intended access level, including obtaining potentially sensitive information stored in the system.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Bug IDs: CSCwk34893 and CSCwk63233
CVE ID: CVE-2025-20113
Security Impact Rating (SIR): High
CVSS Base Score: 7.1
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CVE-2025-20114: Cisco Unified Intelligence Center Horizontal Privilege Escalation Vulnerability

A vulnerability in the API of Cisco Unified Intelligence Center could allow an authenticated, remote attacker to perform a horizontal privilege escalation attack on an affected system.

This vulnerability is due to insufficient validation of user-supplied parameters in API requests. An attacker could exploit this vulnerability by submitting crafted API requests to an affected system to execute an insecure direct object reference attack. A successful exploit could allow the attacker to access specific data that is associated with different users on the affected system.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Bug IDs: CSCwk34894 and CSCwk63223
CVE ID: CVE-2025-20114
Security Impact Rating (SIR): Medium
CVSS Base Score: 4.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N