Cisco has released patches for a maximum-severity security flaw in Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME).
The vulnerability, CVE-2025-20309, carries a CVSS score of 10.0, the maximum severity rating. Cisco said the flaw could allow an attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted.
According to the networking giant, the source of the vulnerability is due to the presence of static user credentials for the root account that are reserved for use during development.
An attacker could exploit this vulnerability by using the account to log in to an affected system and then execute arbitrary commands as the root user.
The vulnerability affects Cisco Unified CM and Unified CM SME Engineering Special (ES) releases 15.0.1.13010-1 through 15.0.1.13017-1, regardless of device configuration.
Indicators of compromise (IoCs) include a log entry to /var/log/active/syslog/secure for the root user with root permissions. Logging of this event is enabled by default.
To retrieve the logs, users should run the following command from the CLI, said Cisco: cucm1# file get activelog syslog/secure. If a log entry both includes sshd and shows a successful SSH login by the user root, it is an IoC.
No workaround available for Cisco flaw
There’s no workaround, said Cisco; users should upgrade vulnerable devices to Cisco Unified CM and Unified CM SME 15SU3 (July 2025) or apply the CSCwp27755 patch file here.
Customers with service contracts can receive updates through their usual channels, while those without should contact Cisco TAC for assistance.
The company said it doesn’t believe that the vulnerability, which was detected during internal testing, has been exploited in the wild.
This is the second critical vulnerability that Cisco’s announced in the last few days. Last week, it warned customers using Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) of a flaw that could allow a remote attacker to issue commands on the underlying operating system as root.
This could enable complete compromise and full remote takeover of the target device without any authentication or user interaction.
In April, it warned of a critical Smart Licensing Utility (CSLU) vulnerability exposing a built-in backdoor admin account used in attacks; and in May, of a hardcoded JSON Web Token (JWT) that allows unauthenticated remote attackers to take over IOS XE devices.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.