Cisco (Nasdaq:CSCO) has patched a max severity flaw in its Unified Communications Manager (Unified CM) and Session Management Edition (Unified CM SME) products that could let attackers walk right in using a hardcoded root login.
The enterprise communications giant said the static credentials were intended for internal use only but, unfortunately, were left in a range of limited-distribution software builds that went out to customers through official support channels.
[ Related: More Cisco news and insights ]
“This vulnerability is due to the presence of static user credentials for the root account that are reserved for use during development,” Cisco said in a security advisory. “A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.”
While the issue is confined to a batch of Engineering Special (ES) releases, there’s no way to mitigate the flaw without applying a patch. Cisco has issued a fix and is urging customers to upgrade immediately.
Max-severity root access is possible
The issue (CVE-2025-20309) stems from a coding oversight. The root user account on the vulnerable ES builds came preloaded with default secure shell (SSH) login credentials that couldn’t be changed or removed. Anyone who knows the credentials ( or reverse engineers them) could use them to remotely access the system with full administrative privileges, making this a max severity (CVSS 10 out of 10) flaw.
The credentials, originally meant for development purposes only, were inadvertently shipped in certain ES builds of Unified CM 15.0.1, specifically versions 13010-1 through 13017-1. These builds were distributed by Cisco’s Technical Assistance Center and weren’t broadly available, limiting exposure but not the severity.
The affected products-Cisco Unified CM and Unified CM SME–are core components of enterprise telephony infrastructure, widely deployed across government agencies, financial institutions, and large corporations to manage voice, video, and messaging at scale.
A flaw in these systems could allow attackers to compromise an organization’s communications, letting them log in remotely with full administrative control to potentially intercept calls, plant backdoors, and disrupt critical services.
Cisco shares tricks to spot exploitation
Cisco said in the advisory that it hasn’t observed any exploitation in the wild, but it has provided a method for customers to detect compromises. Successful logins via the root account would leave traces in system logs located at ‘/var/log/active/syslog/secure’, it said.
The advisory even included an example log snippet to show what an attacker’s SSH session might look like.
The company said the exploit doesn’t require any device configuration, and no workaround is available to mitigate the risk apart from upgrading. Customers without a service contract can still request the fix, provided they can share their device’s serial number and a link to the advisory.
The flaw, which was found during an internal security testing, is the second max-severity bug Cisco reported within a week, the first being an insufficient input validation flaw affecting Cisco’s identity and access control platforms, allowing RCE as root user.
More Cisco security news:
Cisco Wireless LAN Controllers under threat again after critical exploit details go public
Cisco bolsters DNS security package
Cisco patches max-severity flaw allowing arbitrary command execution
No Responses