Cisco patches critical 10.0 bug in Unified CM systems

Cisco released patches for a critical 10.0 flaw in Cisco Unified Communications Manager (Unified CM) and Communications Manager Session Management Edition (Unified CM SME) that could let attackers take full control of the system.

In a July 2 advisory, Cisco said the bug – CVE-2025-20309 – was caused by the presence of the static user credential for the root account reserved for development.

The large networking company noted that a successful exploit could let the attacker log-in to the affected system and execute arbitrary commands as the root user.

As of Thursday afternoon, there were no known exploits of the bug in the wild. Cisco released software updates that fix the vulnerability and added that there are no workarounds available.

The vulnerability affects Cisco Unified CM and Unified CM SME Engineering Special (ES) releases 15.0.1.13010-1 through 15.0.1.13017, regardless of device configuration.

Cisco pointed out that the Cisco Security Indicators of Compromise Reference Guide lists commonly observed indicators of compromise (IOCs), which can help teams identify devices that may have been impacted by the vulnerability disclosed in the advisory.

Ben Ronallo, principal cybersecurity engineer at Black Duck, said any organization using the Cisco devices needs to upgrade as soon as possible. Ronallo said they need to refer to the IOCs provided in the Cisco advisory and immediately enact their incident response processes.

“Because the credentials belong to a root (admin) account, the potential for malicious activity is significant,” said Ronallo. “One plausible effect of this could be that an attacker can modify network routing for social engineering or data exfiltration purposes.”

Shane Barney, chief information security officer at Keeper Security, added that hard-coded root credentials that allow unauthenticated remote access effectively hand over full control of the system. Barney said in a platform like Cisco’s Unified Communications Manager, that could let attackers move deeper into the network, listen in on calls, or change how users log in.

“It’s good that Cisco caught this internally and has a fix available, but the risk is real and immediate for any organization still running affected versions,” said Barney. “A CVSS score of 10.0 is as serious as it gets, and patching needs to happen now. These kinds of flaws are a reminder that even the most trusted systems can carry hidden risks.”