Post

Cisco Patches Critical Backdoor Vulnerability in Unified Communications Manager

Cisco Patches Critical Backdoor Vulnerability in Unified Communications Manager

TL;DR

Cisco recently addressed a critical vulnerability (CVE-2025-20309) in its Unified Communications Manager (CUCM) that allowed remote attackers to gain root access using hardcoded credentials. This backdoor account has been removed in the latest update, and administrators are urged to apply the necessary patches.

Cisco Addresses Critical Backdoor Vulnerability in Unified Communications Manager

Cisco, a leading provider of digital communications technology, has addressed a severe security vulnerability in its Unified Communications Manager (CUCM) and Session Management Edition (Unified CM SME). This flaw, tracked as CVE-2025-20309, has a CVSS score of 10, indicating its critical nature1.

Vulnerability Overview

The vulnerability allows remote attackers to log in using hardcoded root credentials embedded during development. These static credentials cannot be changed or deleted, posing a significant security risk. The Cisco Unified Communications Manager (CUCM) is a vital enterprise-level system for voice, video, messaging, and mobility communications1.

Risks and Impact

If exploited, attackers can gain full root privileges, enabling them to execute any command on the affected system. This vulnerability is particularly dangerous as it requires no authentication, making it a high-risk issue for devices running the affected software1.

Cisco’s Official Statement

Cisco’s advisory states:

“A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted. This vulnerability is due to the presence of static user credentials for the root account that are reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user”1.

Mitigation Steps

Cisco has removed the backdoor account in the latest update. The vulnerability affects specific versions of Cisco Unified CM and Unified CM SME Engineering Special releases, from 15.0.1.13010-1 to 15.0.1.13017-1. These versions are limited fix releases available only through Cisco TAC1.

Affected Versions

  • Cisco Unified CM and Unified CM SME Engineering Special releases 15.0.1.13010-1 to 15.0.1.13017-1

Administrators are advised to upgrade to the appropriate fixed software release. There are no workarounds available to mitigate this vulnerability1.

Cisco Unified CM and Unified CM SME Release First Fixed Release
12.5 Not vulnerable
14 Not vulnerable
15.0.1.13010-1 through 15.0.1.13017-1 15SU3 (Jul 2025) or apply patch file: ciscocm.CSCwp27755_D0247-1.cop.sha512

Detection and Monitoring

Cisco PSIRT has not detected any active exploitation of this vulnerability. However, administrators can monitor for potential compromises by checking for successful SSH logins by the root user in the system log (/var/log/active/syslog/secure). This logging is enabled by default and can be verified using the CLI command:

1
file get activelog syslog/secure

Look for entries showing both sshd and a root login session to identify potential issues1.

References

  1. Cisco (2025). “CVE-2025-20309: Cisco Unified Communications Manager SSH Vulnerability”. Cisco Security Center. Retrieved 2025-07-02. ↩︎ ↩︎2 ↩︎3 ↩︎4 ↩︎5 ↩︎6 ↩︎7

This post is licensed under CC BY 4.0 by the author.