Hardcoded SSH credentials in Cisco’s communications software allow attackers to take over systems with root access. The pain point: hardcoded credentials in Unified CM and Unified CME. The vulnerability has been given a CVSS score of 10 out of 10.
CVE-2025-20309 sounds like a dream come true for threat actors. Attackers who exploit the vulnerability gain all privileges and full access to IT systems. They can execute any command imaginable with root privileges, the most severe type of compromise. The security flaw arises because the enterprise management tools contain static login credentials for the root account. Cisco has patches available to fix the problem.
Development credentials leaked
“This vulnerability is due to the presence of static user credentials for the root account that are reserved for use during development,” Cisco explains in a security advisory.
The hardcoded credentials cannot be removed or changed by system administrators. This design choice allows malicious actors to misuse the login credentials to gain external access to vulnerable systems.
Unified CM and Unified CM SME Engineering Special versions 15.0.1.13010-1 through 15.0.1.13017-1 are susceptible to this attack. This applies regardless of the configuration of individual devices.
Detection of misuse
If you are using the old version and are concerned about a compromise, you can still find out whether an infiltration has occurred. Successful exploitation of the security vulnerability leaves traces in var/log/active/syslog/secure. Organizations should check these logs to determine whether there has been an intrusion.
A patch file resolves the issue. Cisco is also including the fix in Unified CM and Unified CM SME release 15SU3, which is expected this month.
Cisco reports that it is not currently aware of any active exploitation of this vulnerability in production environments. However, the company emphasizes that the issue requires urgent attention due to its maximum CVSS score.
Last month, Cisco also released patches for three medium-scoring vulnerabilities in Spaces Connector, Enterprise Chat and Email, and BroadWorks Application Delivery Platform. Privilege escalation and XSS attacks were the primary risks associated with these three cyber threats.