{"id":3831,"date":"2025-07-03T12:41:45","date_gmt":"2025-07-03T12:41:45","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3831"},"modified":"2025-07-03T12:41:45","modified_gmt":"2025-07-03T12:41:45","slug":"hardcoded-root-credentials-in-cisco-unified-cm-trigger-max-severity-alert","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3831","title":{"rendered":"Hardcoded root credentials in Cisco Unified CM trigger max-severity alert"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Cisco (<a href=\"https:\/\/finance.yahoo.com\/quote\/CSCO\/\" target=\"_blank\" rel=\"noopener\">Nasdaq:CSCO<\/a>) has patched a max severity flaw in its Unified Communications Manager (Unified CM) and Session Management Edition (Unified CM SME) products that could let attackers walk right in using a hardcoded root login.<\/p>\n<p>The enterprise communications giant said the static credentials were intended for internal use only but, unfortunately, were left in a range of limited-distribution software builds that went out to customers through official support channels.<\/p>\n<h5 class=\"wp-block-heading\"><strong>[ Related:\u00a0<\/strong><a href=\"https:\/\/www.networkworld.com\/article\/3523958\/cisco-latest-news-and-insights.html\"><strong>More Cisco news and insights<\/strong><\/a><strong>\u00a0]<\/strong><\/h5>\n<p>\u201cThis vulnerability is due to the presence of static user credentials for the root account that are reserved for use during development,\u201d Cisco said in a security advisory. \u201cA successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.\u201d<\/p>\n<p>While the issue is confined to a batch of Engineering Special (ES) releases, there\u2019s no way to mitigate the flaw without applying a patch. Cisco has issued a fix and is urging customers to upgrade immediately.<\/p>\n<h2 class=\"wp-block-heading\">Max-severity root access is possible<\/h2>\n<p>The issue (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-20309\" target=\"_blank\" rel=\"noopener\">CVE-2025-20309<\/a>) stems from a coding oversight. The root user account on the vulnerable ES builds came preloaded with default secure shell (SSH) login credentials that couldn\u2019t be changed or removed. Anyone who knows the credentials ( or reverse engineers them) could use them to remotely access the system with full administrative privileges, making this a max severity (CVSS 10 out of 10) flaw.<\/p>\n<p>The credentials, originally meant for development purposes only, were inadvertently shipped in certain ES builds of Unified CM 15.0.1, specifically versions 13010-1 through 13017-1. These builds were distributed by Cisco\u2019s Technical Assistance Center and weren\u2019t broadly available, limiting exposure but not the severity.<\/p>\n<p>The affected products-Cisco Unified CM and Unified CM SME\u2013are core components of enterprise telephony infrastructure, widely deployed across government agencies, financial institutions, and large corporations to manage voice, video, and messaging at scale.<\/p>\n<p>A flaw in these systems could allow attackers to compromise an organization\u2019s communications, letting them log in remotely with full administrative control to potentially intercept calls, plant <a href=\"https:\/\/www.csoonline.com\/article\/3629493\/the-2024-cyberwar-playbook-tricks-used-by-nation-state-actors.html?utm=hybrid_search#:~:text=Backdooring%20critical%20systems%20for%20sneaky%20attacks\">backdoors<\/a>, and disrupt critical services.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Cisco shares tricks to spot exploitation<\/h2>\n<p>Cisco said in the <a href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-cucm-ssh-m4UBdpE7\" target=\"_blank\" rel=\"noopener\">advisory<\/a> that it hasn\u2019t observed any exploitation in the wild, but it has provided a method for customers to detect compromises. Successful logins via the root account would leave traces in system logs located at \u2018\/var\/log\/active\/syslog\/secure\u2019, it said.<\/p>\n<p>The advisory even included an example log snippet to show what an attacker\u2019s SSH session might look like.<\/p>\n<p>The company said the exploit doesn\u2019t require any device configuration, and no workaround is available to mitigate the risk apart from upgrading. Customers without a service contract can still request the fix, provided they can share their device\u2019s serial number and a link to the advisory.<\/p>\n<p>The flaw, which was found during an internal security testing, is the second max-severity bug Cisco reported within a week, the first being an<a href=\"https:\/\/www.csoonline.com\/article\/4013597\/cisco-warns-of-critical-api-vulnerabilities-in-ise-and-ise-pic.html?utm=hybrid_search\"> insufficient input validation flaw<\/a> affecting Cisco\u2019s identity and access control platforms, allowing RCE as root user.<\/p>\n<p>More Cisco security news:<\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/4000770\/cisco-wireless-lan-controllers-under-threat-again-after-critical-exploit-details-go-public.html\">Cisco Wireless LAN Controllers under threat again after critical exploit details go public<\/a><\/p>\n<p><a href=\"https:\/\/www.networkworld.com\/article\/3998305\/cisco-bolsters-dns-security-package.html\">Cisco bolsters DNS security package<\/a><\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/3982055\/cisco-patches-max-severity-flaw-allowing-arbitrary-command-execution.html\">Cisco patches max-severity flaw allowing arbitrary command execution<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Cisco (Nasdaq:CSCO) has patched a max severity flaw in its Unified Communications Manager (Unified CM) and Session Management Edition (Unified CM SME) products that could let attackers walk right in using a hardcoded root login. The enterprise communications giant said the static credentials were intended for internal use only but, unfortunately, were left in a [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":3823,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3831","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3831"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3831"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3831\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3823"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3831"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3831"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3831"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}