Maximum severity Cisco Unified CM vulnerability resolved

Cisco has issued fixes for a maximum severity static SSH credentials flaw impacting its Unified Communications Manager and its Session Management Edition, tracked as CVE-2025-20309, which could facilitate unauthorized logins via hardcoded root credentials, reports Security Affairs.

Affected by the vulnerability, which stems from the availability of static user credentials for root accounts during development, were Cisco Unified CM and Unified CM SME Engineering Special releases 15.0.1.13010-1 to 15.0.1.13017-1. "An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user," said Cisco, which has resolved the issue by omitting Unified CM's backdoor account. While there has been no evidence suggesting active exploitation, organizations with vulnerable Cisco Unified CM instances have been urged to immediately implement released patches, as well as review provided Indicators of Compromise.