Cisco has patched a critical flaw in its Unified Communications Manager (Unified CM) software that allowed unauthenticated remote attackers to log in using hardcoded root credentials. The vulnerability, tracked as CVE-2025-20309, carries a CVSS score of 10.0 (the highest possible) and affects select engineering special (ES) builds of version 15.0.
The issue stems from development leaving behind static SSH credentials. Cisco’s advisory says these credentials are tied to the root account and “cannot be changed or deleted.”
The bug, listed under Cisco Bug ID CSCwp27755, impacts Unified CM and Unified CM Session Management Edition (SME) releases 15.0.1.13010-1 through 15.0.1.13017-1. These versions were distributed directly by Cisco’s Technical Assistance Center (TAC) and are not generally available to the broader public. Other versions, including the latest service updates for 12.5 and 14, are unaffected.
“There are no workarounds,” Cisco said in its advisory on 2 July. “Cisco has released software updates that address this vulnerability.”
A Backdoor Root Account
The vulnerability is a textbook case of a CWE-798: Use of Hard-coded Credentials. According to Cisco, the credentials were “reserved for use during development” but remained present in the shipped ES versions.
If exploited, an attacker could gain root-level access over SSH, allowing them to execute arbitrary commands on affected devices.
Researchers familiar with the disclosure said the implications were clear. “This is a high-impact vulnerability because it opens the door to full system compromise with no authentication required,” said one Cisco PSIRT researcher involved in the analysis. “The presence of a static root account is always a red flag.”
Cisco confirmed that the flaw was discovered internally and has not been exploited in the wild. As of the time of this writing, no public exploit code exists.
Fixes and Patches
Cisco has released an official patch file, ciscocm.CSCwp27755_D0247-1.cop.sha512, for affected customers. A fix is also included in the upcoming 15SU3 release, scheduled for July 2025.
Customers with valid support contracts can access the patched software via standard Cisco channels. Those without contracts are advised to contact the TAC directly to request the update. “Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement,” Cisco noted.
Only the ES builds listed are vulnerable. The company confirmed that “No Service Updates (SUs) for any releases are affected. ”
Supply Chain and Update Reminders
As part of standard protocol, Cisco reminded users to confirm memory capacity and compatibility before deploying any patches. The company also urged customers to review their licensing agreements and ensure they operate within supported configurations.
The advisory comes amid a broader industry push to eliminate hardcoded credentials from production environments. Using such credentials is considered a major security misstep, especially in systems with broad administrative control.
Cisco PSIRT has not observed any malicious use of the vulnerability to date. The team continues to monitor for exploitation attempts and will update the advisory if new information emerges.
Real Consequences
Shane Barney, Chief Information Security Officer at Keeper Security, says this is is a critical vulnerability with real consequences. “Hard-coded root credentials that allow unauthenticated remote access effectively hand over full control of the system. In a platform like Cisco’s Unified Communications Manager, that could let attackers move deeper into the network, listen in on calls or change how users log in.”
It’s good that Cisco caught this internally and has a fix available, Barney adds, but the risk is real and immediate for any organization still running affected versions. “A CVSS score of 10.0 is as serious as it gets and patching needs to happen now. These kinds of flaws are a reminder that even the most trusted systems can carry hidden risks. That’s why a strong, proactive security posture, including fast patching, tight credential controls and deep visibility, isn’t just important but essential.”
A Springboard into the Voice Network
Jason Soroko, Senior Fellow at Sectigo, adds that because the flaw lets any remote unauthenticated attacker log in over SSH with hard coded root credentials, every Unified CM instance becomes a springboard into the voice network and beyond. “This gives the intruder power to run any command, plant backdoors, siphon call audio, harvest credentials and tamper with authentication services so phone, video and emergency lines could be silently rerouted or knocked offline; a breach at that level can also grant an easy pivot into adjacent servers through the trusted signaling links that Unified CM maintains.”
Soroko says organizations should immediately upgrade to the fixed software that Cisco has published, restrict or disable external SSH access, put Unified CM behind strict network segmentation, hunt for suspicious root logins since the affected releases were installed and enable continuous monitoring to catch any attempt to exploit the bug.
The Saving Grace
Mayuresh Dani, Security Research Manager, at Qualys believes the saving grace here is that only a specific subset of Engineering Special (ES) builds are affected. “Mature organizations do not typically install ES releases as part of standard practice. ES releases are special builds provided by Cisco Technical Assistance Center (TAC) to address specific customer issues or urgent bugs that are not yet resolved in the standard Service Update (SU) or General Availability (GA) releases.
Dani advises firms to monitor log entries in /var/log/active/syslog/secure showing successful SSH login sessions by the root user, detect unusual authentication patterns or access from unexpected IP addresses, and limit access to management interfaces and isolate critical systems to prevent lateral movement in case of compromise
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.