Warning: Hardcoded credentials in Cisco Unified Communications Manager, Patch Immediately!

Image
Decorative image
Published : 03/07/2025

 

    * Last update:  03/07/2025
   
    * Affected software:: Cisco Unified Communications Manager
 
    * Type: Use of Hard-Coded Credentials
 
    * CVE/CVSS
        → CVE-2025-20309: CVSS 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

 

Sources

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20309
 

Risks

A critical vulnerability (CVE-2025-20309) has been identified in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME). This flaw allows unauthenticated, remote attackers to gain root access using hardcoded, static credentials that cannot be changed or deleted.
Although not currently observed in active exploitation, the vulnerability poses a significant risk due to its trivial exploitability and the critical role these systems play in managing enterprise voice and video communications. This vulnerability impacts all aspects of the CIA triad, confidentiality, integrity, and availability. It should be patched with the highest priority to mitigate potential exploitation.
 

Description

CVE-2025-20309, CVSS 10
CWE-798 Use of Hard-coded Credentials
This vulnerability affects Cisco Unified CM and Unified CM SME Engineering Special (ES) releases 15.0.1.13010-1 through 15.0.1.13017-1, regardless of device configuration. Due to the presence of hardcoded SSH credentials, any attacker with access to the SSH port can log in as root, gaining full control of the device. In addition to patching, Cisco recommends reviewing system logs for signs of compromise, particularly for SSH logins as root, which can be inspected with: “file get activelog syslog/secure”.

 

Recommended Actions

 
Patch 
 
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
  
Monitor/Detect 
  
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
  
In case of an intrusion, you can report an incident via:https://ccb.belgium.be/cert/report-incident.
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
 
 

References

Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssh-m4UBdpE7