Cisco removed the backdoor account from its Unified Communications Manager
Cisco removed the backdoor account from its Unified Communications Manager
July 02, 2025
Digital communications technology giant Cisco addressed a static SSH credentials vulnerability in its Unified Communications Manager (Unified CM).
A flaw, tracked as CVE-2025-20309 (CVSS score of 10), in Cisco Unified Communications Manager and its Session Management Edition lets remote attackers log in using hardcoded root credentials set during development. Cisco Unified Communications Manager (CUCM) is a call processing system developed by Cisco for enterprise-level voice, video, messaging, and mobility communications.
These static credentials can’t be changed or deleted. If attackers exploit this issue, they can access the system with full root privileges and run any command. No authentication is needed, making this a serious risk for affected devices.
“A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted.” reads the advisory. “This vulnerability is due to the presence of static user credentials for the root account that are reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.”
The company addressed the issue by removing the backdoor account from its Unified Communications Manager (Unified CM).
The vulnerability impacts Cisco Unified CM and Unified CM SME Engineering Special releases 15.0.1.13010-1 to 15.0.1.13017-1, regardless of configuration. These ES versions are limited fix releases shared only through Cisco TAC.
There are no workarounds to address the vulnerability.
Admins are recommended to upgrade to an appropriate fixed software release:
| Cisco Unified CM and Unified CM SME Release | First Fixed Release |
|---|---|
| 12.5 | Not vulnerable |
| 14 | Not vulnerable |
| 15.0.1.13010-1 through 15.0.1.13017-11 | 15SU3 (Jul 2025) or apply patch file: ciscocm.CSCwp27755_D0247-1.cop.sha512 |
1. Only the listed set of ES releases is vulnerable. No Service Updates (SUs) for any releases are affected.
The good news is that Cisco PSIRT is not aware of any attacks exploiting this vulnerability in the wild.
Cisco provides Indicators of Compromise (IoCs) for detecting devices potentially affected by the recent vulnerability. A key IoC is a successful SSH login by the root user, which appears in the system log (/var/log/active/syslog/secure).
This logging is enabled by default. To check, use the CLI command:
file get activelog syslog/secure. Look for entries showing both sshd and a root login session.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, backdoor)
