Cisco has issued an urgent security advisory regarding a critical vulnerability in its widely deployed enterprise communications platforms, specifically Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (Unified CM SME). This vulnerability, tracked as CVE-2025-20309, poses a severe risk to organizations due to the presence of hardcoded SSH credentials that could allow attackers to gain full control over affected systems.
Vulnerability Details
The flaw, which has received a maximum severity rating (CVSS score of 10.0), arises from the inclusion of static, hardcoded SSH credentials for the root account. These credentials, originally intended for development and testing purposes, were inadvertently left in several production releases. Administrators are unable to change or remove these credentials, creating a persistent backdoor that can be exploited by remote attackers.
An unauthenticated attacker with network access could leverage these credentials to log in as the root user, granting them the ability to execute arbitrary commands with the highest level of system privileges. This could result in the compromise of sensitive data, disruption of communications services, and the potential for further attacks within the enterprise network.
Affected Products
The vulnerability impacts the following Cisco products:
- Cisco Unified CM and Unified CM SME Engineering Special (ES) releases 15.0.1.13010-1 through 15.0.1.13017-1
Other versions, including 12.5 and 14, are not affected by this issue.
Risks and Impact
The presence of hardcoded root credentials represents a significant security risk, as it undermines all aspects of the confidentiality, integrity, and availability (CIA) of the affected systems. Successful exploitation could allow attackers to:
- Disrupt critical communications services
- Steal or manipulate sensitive information
- Intercept or tamper with enterprise communications
- Use compromised systems as a foothold for further attacks
While there is currently no evidence of active exploitation, the ease with which this vulnerability can be exploited makes prompt remediation essential.
Detection and Indicators of Compromise
Administrators are advised to check system logs for signs of unauthorized root access. Successful exploitation will result in log entries for root user logins in /var/log/active/syslog/secure. The following command can be used to retrieve these logs:
bashfile get activelog syslog/secure
Any unexpected root SSH logins should be treated as potential indicators of compromise.
Remediation and Recommendations
Cisco has released patches and updates to address this vulnerability. Organizations using affected versions are strongly urged to:
- Immediately upgrade to Unified CM 15SU3 (July 2025 release) or apply the CSCwp27755 patch.
- Disable remote access to affected systems until patches can be applied.
- Audit access logs for suspicious root logins and signs of compromise.
- After patching, review system logs for historic indicators of unauthorized access, as remediation does not address prior intrusions.
No workarounds are available for this vulnerability; patching is the only effective mitigation.
