Cisco Patches Critical Backdoor Vulnerability in Unified Communications Manager
TL;DR
Cisco recently addressed a critical vulnerability (CVE-2025-20309) in its Unified Communications Manager (CUCM) that allowed remote attackers to gain root access using hardcoded credentials. This backdoor account has been removed in the latest update, and administrators are urged to apply the necessary patches.
Cisco Addresses Critical Backdoor Vulnerability in Unified Communications Manager
Cisco, a leading provider of digital communications technology, has addressed a severe security vulnerability in its Unified Communications Manager (CUCM) and Session Management Edition (Unified CM SME). This flaw, tracked as CVE-2025-20309, has a CVSS score of 10, indicating its critical nature1.
Vulnerability Overview
The vulnerability allows remote attackers to log in using hardcoded root credentials embedded during development. These static credentials cannot be changed or deleted, posing a significant security risk. The Cisco Unified Communications Manager (CUCM) is a vital enterprise-level system for voice, video, messaging, and mobility communications1.
Risks and Impact
If exploited, attackers can gain full root privileges, enabling them to execute any command on the affected system. This vulnerability is particularly dangerous as it requires no authentication, making it a high-risk issue for devices running the affected software1.
Cisco’s Official Statement
Cisco’s advisory states:
“A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted. This vulnerability is due to the presence of static user credentials for the root account that are reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user”1.
Mitigation Steps
Cisco has removed the backdoor account in the latest update. The vulnerability affects specific versions of Cisco Unified CM and Unified CM SME Engineering Special releases, from 15.0.1.13010-1 to 15.0.1.13017-1. These versions are limited fix releases available only through Cisco TAC1.
Affected Versions
- Cisco Unified CM and Unified CM SME Engineering Special releases 15.0.1.13010-1 to 15.0.1.13017-1
Recommended Actions
Administrators are advised to upgrade to the appropriate fixed software release. There are no workarounds available to mitigate this vulnerability1.
Cisco Unified CM and Unified CM SME Release | First Fixed Release |
---|---|
12.5 | Not vulnerable |
14 | Not vulnerable |
15.0.1.13010-1 through 15.0.1.13017-1 | 15SU3 (Jul 2025) or apply patch file: ciscocm.CSCwp27755_D0247-1.cop.sha512 |
Detection and Monitoring
Cisco PSIRT has not detected any active exploitation of this vulnerability. However, administrators can monitor for potential compromises by checking for successful SSH logins by the root user in the system log (/var/log/active/syslog/secure
). This logging is enabled by default and can be verified using the CLI command:
1
file get activelog syslog/secure
Look for entries showing both sshd
and a root login session to identify potential issues1.