Cisco warns of critical flaw in Unified Communications Manager – so you better patch now

While the bug doesn't appear to have been exploited in the wild, Cisco customers are advised to move fast to apply a patch

Cisco logo and branding pictured on a storefront in Davos, Switzerland, ahead of the World Economic Forum (WEF).
(Image credit: Getty Images)

Cisco has released patches for a maximum-severity security flaw in Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME).

The vulnerability, CVE-2025-20309, carries a CVSS score of 10.0, the maximum severity rating. Cisco said the flaw could allow an attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted.

According to the networking giant, the source of the vulnerability is due to the presence of static user credentials for the root account that are reserved for use during development.

30% off Keeper Security's Business Starter and Business plans

30% off Keeper Security's Business Starter and Business plans

Keeper Security is trusted and valued by thousands of businesses and millions of employees. Why not join them and protect your most important assets while taking advantage of this special offer?

An attacker could exploit this vulnerability by using the account to log in to an affected system and then execute arbitrary commands as the root user.

The vulnerability affects Cisco Unified CM and Unified CM SME Engineering Special (ES) releases 15.0.1.13010-1 through 15.0.1.13017-1, regardless of device configuration.

Indicators of compromise (IoCs) include a log entry to /var/log/active/syslog/secure for the root user with root permissions. Logging of this event is enabled by default.

To retrieve the logs, users should run the following command from the CLI, said Cisco: cucm1# file get activelog syslog/secure. If a log entry both includes sshd and shows a successful SSH login by the user root, it is an IoC.

No workaround available for Cisco flaw

There's no workaround, said Cisco; users should upgrade vulnerable devices to Cisco Unified CM and Unified CM SME 15SU3 (July 2025) or apply the CSCwp27755 patch file here.

Customers with service contracts can receive updates through their usual channels, while those without should contact Cisco TAC for assistance.

The company said it doesn't believe that the vulnerability, which was detected during internal testing, has been exploited in the wild.

This is the second critical vulnerability that Cisco's announced in the last few days. Last week, it warned customers using Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) of a flaw that could allow a remote attacker to issue commands on the underlying operating system as root.

This could enable complete compromise and full remote takeover of the target device without any authentication or user interaction.

In April, it warned of a critical Smart Licensing Utility (CSLU) vulnerability exposing a built-in backdoor admin account used in attacks; and in May, of a hardcoded JSON Web Token (JWT) that allows unauthenticated remote attackers to take over IOS XE devices.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.