Cisco fixes maximum-severity flaw in enterprise unified comms platform (CVE-2025-20309)

Cisco has found a backdoor account in yet another of its software solutions: CVE-2025-20309, stemming from default credentials for the root account, could allow unauthenticated remote attackers to log into a vulnerable Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) platforms and use the acquired access to execute arbitrary commands with the highest privileges.

About CVE-2025-20309, and how to fix it

Cisco Unified Communications Manager – formerly Cisco CallManager – is an IP call processing system, and Cisco Unified Communications Manager Session Management Edition incorporates session management services for simplifying services aggregation and extending collaboration applications.

Cisco Unified CM is used by businesses of all sizes and can be deployed on-premises or in the cloud.

“[CVE-2025-20309 ] is due to the presence of static user credentials for the root account that are reserved for use during development,” Cisco explained.

The credentials cannot be changed or deleted. Luckily, the vulnerability was found during internal security testing, and there is no indication that it has also been discovered and exploited by attackers.

A circumstance that may limit the flaw’s potential for attackers is that it affects Cisco Unified CM and Unified CM SME releases 15.0.1.13010-1 through 15.0.1.13017-1, but only the Engineering Special releases – “limited fix releases that are distributed only by the Cisco Technical Assistance Center (TAC)”. It’s unlikely that there are many out there.

Affected users have been advised to update to the 15 Service Update (SU) 3 or to apply a patch file that has been provided, as there are no available workarounds.

Cisco has also pinpointed a specific log entry that, if found in the solution’s logs, points to the vulnerability having been leveraged by attackers.

“Successful exploitation would result in a log entry to /var/log/active/syslog/secure for the root user with root permissions,” the company said.

“If a log entry both includes sshd and shows a successful SSH login by the user root, it is an [indicator of compromise].”

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!