Cisco Patches Critical Flaw in Unified Communications Manager
A critical security vulnerability has been discovered in Cisco’s Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME). The flaw allows attackers root access, necessitating immediate patches.
Root Access Risk
Identified as CVE-2025-20309, the vulnerability received the maximum severity score of 10.0. Cisco warned that this flaw lets a malicious actor log into affected devices using the root account. These accounts have default, static credentials that cannot be altered or removed.
The vulnerability stems from static user credentials for the root account, typically used during development, according to the networking firm. Exploiting this flaw involves an attacker logging into the system to execute arbitrary commands.
The flaw impacts Cisco Unified CM and Unified CM SME Engineering Special (ES) releases 15.0.1.13010-1 through 15.0.1.13017-1, irrespective of device configuration.
Compromise Indicators
Compromise can be identified via log entries in `/var/log/active/syslog/secure` showing root user activity with root permissions. Fortunately, logging for this event is enabled by default.
To check logs, Cisco recommends running `cucm1# file get activelog syslog/secure` from the CLI. An entry containing both sshd and a successful SSH login by the root user indicates a compromise.
Immediate Action Required
Cisco reports there is no workaround. Users must upgrade vulnerable devices to Cisco Unified CM and Unified CM SME 15SU3 (July 2025) or apply the CSCwp27755 patch file here.
Customers with service contracts will receive updates through standard channels; others should contact Cisco TAC for help. Cisco stated that it detected this vulnerability during internal testing and does not believe it has been exploited in the wild.
Prior Security Alerts
This marks the second critical vulnerability disclosed by Cisco recently. Just last week, a warning was issued to users of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) regarding a flaw enabling remote attackers to execute OS commands as root.
Such access would permit a full remote takeover of the device without needing authentication or any user interaction.
Earlier this year, in April, Cisco alerted users to a critical Smart Licensing Utility (CSLU) vulnerability that exposed a built-in backdoor admin account used in attacks. In May, a hardcoded JSON Web Token (JWT) allowed unauthenticated remote attackers to seize control of IOS XE devices.
The increased frequency of attacks targeting network infrastructure highlights the importance of proactive security measures; network-based attacks saw a 16% increase in 2023 (Verizon DBIR 2024).
