What is the critical vulnerability discovered in Cisco Unified Communications Manager?

Cisco is reporting a critical vulnerability tracked as CVE-2025-20309 with a perfect CVSS score of 10.0 in its Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME). The vulnerability involves hardcoded static SSH credentials for the root account that could allow unauthenticated remote attackers to gain complete administrative control of affected systems.

What is Cisco Unified Communications Manager and why is this vulnerability significant?

Cisco Unified Communications Manager is the central control system for enterprise IP telephony networks, managing call routing, device configuration, and telephony features across organizations. This vulnerability is significant because it provides a persistent backdoor with complete administrative access, potentially affecting critical business communications infrastructure.

What makes this Cisco vulnerability have a perfect CVSS score of 10.0?

The vulnerability receives a perfect CVSS score of 10.0 because it involves hardcoded static SSH credentials for the root account that were left in production releases from development. These credentials cannot be changed or deleted through normal administrative procedures, creating a persistent backdoor that allows unauthenticated remote attackers to gain complete administrative control.

Are there any workarounds for this Cisco vulnerability?

No, there is no workaround available for this vulnerability. Organizations must apply the official patch or upgrade to the fixed version to address the hardcoded credentials issue.

When will the updated Cisco software be available?

Cisco Unified CM and Unified CM SME 15SU3 is scheduled for release in July 2025. However, a patch file (ciscocm.CSCwp27755_D0247-1.cop.sha512) is currently available for immediate deployment to address this critical vulnerability.

What is the risk level for organizations using affected Cisco systems?

The risk level is extremely high. This is a critical vulnerability with a perfect CVSS score of 10.0 that allows unauthenticated remote attackers to gain complete administrative control. Organizations should treat this as an emergency and apply patches immediately to prevent potential compromise of their telephony infrastructure.

Can the hardcoded credentials be changed by administrators?

No, the static user credentials for the root account cannot be changed or deleted through normal administrative procedures. This is what makes the vulnerability so critical - it creates a persistent backdoor that administrators cannot remove without applying the official patch.

What should organizations do immediately about this Cisco vulnerability?

Organizations should immediately identify all systems running affected versions (15.0.1.13010-1 through 15.0.1.13017-1), apply the available patch file ciscocm.CSCwp27755_D0247-1.cop.sha512, monitor logs for signs of compromise, and plan for the July 2025 software update. Given the critical nature and perfect CVSS score, this should be treated as an emergency security update.

What type of access do the hardcoded credentials provide?

The hardcoded credentials provide SSH access to the root account, which is the highest level of administrative access on the system. This gives attackers complete control over the Cisco Unified Communications Manager, including access to all configuration data, call records, and the ability to modify system behavior.

How does this vulnerability affect enterprise security?

This vulnerability poses a significant threat to enterprise security as it provides attackers with a foothold in critical communications infrastructure. Compromised telephony systems can be used for espionage (monitoring calls), disruption of business operations, or as a launching point for attacks against other systems on the corporate network.

What is the CVE identifier and tracking information for this Cisco vulnerability?

The vulnerability is tracked as CVE-2025-20309 and has been assigned a CVSS score of 10.0, representing the maximum possible severity level. This reflects the combination of the ease of exploitation, the level of access gained, and the critical nature of the affected systems.

Advisory

Cisco patches critical hardcoded credentials vulnerability in Unified Communications Manager

Q: Why were hardcoded credentials present in the Cisco production release?

According to Cisco, these static SSH credentials for the root account were supposedly used during development but were inadvertently left in production releases. This represents a serious development security oversight that created a persistent backdoor in production systems.

published: July 2, 2025

Take action: Obvious first step - isolate the SSH port of your CUCM and make it accessible from trusted networks only. Then VERY QUICLY update to versions 15.0.1.13010-1 through 15.0.1.13017-1, or apply the patches. Just isolating the CUCM isn't enough - the hardcoded password can be abused by malicious insiders, or other devices with access to trusted networks can be breached and the attackers can then breach CUCM.

Learn More

Cisco is reporting a critical vulnerability in its Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME) that could allow unauthenticated remote attackers to gain complete administrative control of affected systems.

Cisco Unified Communications Manager is the central control system for enterprise IP telephony networks, managing call routing, device configuration, and telephony features across organizations.

The vulnerability is tracked as CVE-2025-20309 (CVSS score 10.0) - hardcoded static SSH credentials for the root account. These credentials were supposedly used during development but were inadvertently left in production releases. The static user credentials for the root account cannot be changed or deleted through normal administrative procedures. Unless the systems are patched, there is a persistent backdoor.

Successful exploitation could allow attackers to monitor calls, manipulate call routing, access sensitive configuration data, or use the compromised system as a starting point for lateral movement within corporate networks.

The vulnerability affects Cisco Unified CM and Unified CM SME Engineering Special (ES) versions 15.0.1.13010-1 through 15.0.1.13017-1, regardless of device configuration or security settings.

Cisco has released fixes to address this vulnerability. Customers can pgrade to Cisco Unified CM and Unified CM SME 15SU3 (scheduled for July 2025) or apply the patch file ciscocm.CSCwp27755_D0247-1.cop.sha512. T

There is no workaround available.

Successful exploitation attempts would generate log entries in /var/log/active/syslog/secure showing SSH login sessions for the root user. Since this logging is enabled by default, administrators can check for potential compromise by running the command file get activelog syslog/secure from the CLI and examining the logs for unauthorized root access attempts.

Cisco patches critical hardcoded credentials vulnerability in Unified Communications Manager

Read More
SonicWall patches actively exploited flaw vulnerability chain in …
Critical security vulnerabilities reported in Spotfire AI analysis …
CrushFTP warns of actively exploited flaw, users asked …
Veeam patches 18 Flaws, 5 critical in its …
Mitel networks reports critical authentication bypass flaw in …