Cisco fixes a critical flaw in Unified CM that could grant remote attackers full system access via hardcoded credentials.
Key Takeaways:
Cisco has released a security patch to address a critical vulnerability in its Unified Communications Manager (Unified CM) and Session Management Edition (Unified CM SME). This security flaw could allow remote attackers to gain root access to unpatched systems.
Cisco Unified Communications Manager (Unified CM) is a centralized call control platform that enables voice, video, messaging, and mobility services across an enterprise IP network. It manages the registration and operation of IP phones, video endpoints, and gateways as well as handles call routing, signaling, and media resources. Unified CM supports advanced features like voicemail integration, conferencing, presence, and secure communications.
This security vulnerability (tracked as CVE-2025-20309) is rated Critical with a CVSS score of 10. This flaw could allow hackers to abuse the root account to log into an affected device. The root account uses a default username and password that are hardcoded and cannot be changed or removed by users or administrators.
According to Cisco, the static user credentials for the root account were originally intended for software development and testing purposes. These credentials were supposed to be temporary and should have been removed or disabled before the product was finalized and released to customers. If an attacker gains access to the system using the exposed root account, they could run any command with full administrative privileges.
This vulnerability affects Cisco Unified CM and Unified CM SME Engineering Special (ES) releases 15.0.1.13010-1 through 15.0.1.13017-1. Cisco mentioned that the indicators of compromise include a log entry in the file path /var/log/active/syslog/secure that would show activity by the root user, who has full administrative access. Administrators can retrieve the logs by running the following command from CLI: cucm1# file get activelog syslog/secure.
Currently, Cisco has not found any evidence that this vulnerability has been exploited in the wild. There is no workaround available and users should upgrade vulnerable devices to Cisco Unified CM and Unified CM SME version 15SU3 (July 2025).