Table of Contents
Cisco has patched a critical vulnerability (CVSS 10.0) in its Unified Communications Manager (Unified CM) and Session Management Edition (SME) products. Tracked as CVE-2025-20309, the flaw stems from a hardcoded root account with static credentials reserved for development—credentials that cannot be changed or removed.
This vulnerability affects Engineering Special (ES) releases 15.0.1.13010-1 through 15.0.1.13017-1, making them susceptible to unauthenticated SSH logins. In a worst-case scenario, an attacker could exploit this to gain full root privileges and execute arbitrary commands remotely
The issue was uncovered during Cisco’s internal security testing, and so far, there’s no evidence of in-the-wild exploitation. However, the potential impact is high: with root access, threat actors could pivot across networks, intercept calls, alter configurations, or disrupt communications.
Indicators of Compromise
(IoCs) include log entries in /var/log/active/syslog/secure showing a successful sshd login by the root user.
Mitigation
Cisco recommends upgrading vulnerable ES versions to Service Update 3 (15SU3) or applying the patch file ciscocm.CSCwp27755_D0247-1.cop.sha512 via their TAC channel. There are no known workarounds, and non-ES releases (e.g., 12.5, 14.x) are unaffected.
Cisco Unified Communications Manager Static SSH Credentials Vulnerability
