Emergency Security Bulletin: Cisco Unified Communications Manager Static Root SSH Credentials

https://www.redlegg.com/hubfs/Theme-2024/overlay-red.png featured image

By: RedLegg's Cyber Threat Intelligence Team

About:

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.


VULNERABILITIES

Cisco Unified Communications Manager Static Root SSH Credentials

 

CVSS Score: 10.0 (Critical)
Identifier: CVE-2025-20309
Exploit or POC: No known public exploit or PoC yet
Update CVE-2025-20309 – Cisco Security Advisory

Description: CVE-2025-20309 is a critical vulnerability in Cisco Unified Communications Manager (Unified CM) and the Session Management Edition (SME) where the root account includes hard-coded, static SSH credentials that cannot be changed or removed. This design flaw allows any unauthenticated, remote attacker to log in with the root account and execute arbitrary commands as root. A successful exploit could lead to full device takeover, with the attacker able to modify configurations, intercept calls, introduce malware, or disrupt communications infrastructure.

Affected Versions:

  • Unified CM and Unified CM SME Engineering Special (ES) releases 15.0.1.13010-1 through 15.0.1.13017-1

Mitigation Recommendation:

Upgrade to Unified CM and SME 15SU3 (July 2025) or apply the CSCwp27755 patch per Cisco's advisory.
 
After remediation, check /var/log/active/syslog/secure for root login entries as indicators of compromise.
 
Restrict SSH access to trusted management networks, implement access controls, and monitor for unusual root activity.
 
 
Note: There are no available workarounds — only patching or upgrade fully addresses the vulnerability. Although no active exploits have been reported, the presence of static root access represents a critical risk to communications infrastructure, and timely action is strongly recommended.