CVE-2025-20309: Cisco Unified CM Static SSH Credentials Vulnerability

A critical vulnerability, identified as CVE-2025-20309, exists in certain versions of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME). This flaw has been assigned a CVSS score of 10.0, indicating the highest level of severity. The vulnerability permits an unauthenticated, remote attacker to gain complete control of an affected system by logging in with unchangeable, default root credentials.

Threat alert
July 8, 2025

A critical vulnerability, identified as CVE-2025-20309, exists in certain versions of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME). This flaw has been assigned a CVSS score of 10.0, indicating the highest level of severity. The vulnerability permits an unauthenticated, remote attacker to gain complete control of an affected system by logging in with unchangeable, default root credentials.

The core of this vulnerability lies in the presence of static, hardcoded credentials for the root user account, which were intended for development purposes only. An attacker can remotely exploit this by using these default credentials to log in to a vulnerable device. A successful exploit grants the attacker full root privileges, allowing for the execution of arbitrary commands. This could lead to a complete compromise of the system’s confidentiality, integrity, and availability.

Indicator of Compromise (IoC): A log entry in /var/log/active/syslog/secure indicating a successful SSH login by the root user is a sign of compromise. The following command can be used to retrieve the logs via the Command Line Interface (CLI): cucm1# file get activelog syslog/secure A log entry similar to the one below confirms exploitation: Apr 6 10:38:43 cucm1 authpriv 6 sshd: pam_unix(sshd:session): session opened for user root by (uid=0).

Vulnerable Versions

Cisco Unified CM and Unified CM SME Engineering Special (ES): 15.0.1.13010-1 – 15.0.1.13017-1

Mitigations and Recommendations

  • Upgrade Immediately: Administrators should prioritise upgrading vulnerable systems to a fixed software release. Patched versions include 12.5, 14, and 15SU3 (scheduled for July 2025).
  • Monitor for IoCs: System administrators should actively monitor system logs for any signs of compromise as detailed in the ‘Description’ section.
  • Restrict Access: As a general best practice, network access to the management interface of Cisco Unified CM and Unified CM SME devices should be restricted to trusted networks and authorised personnel.