4 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Cisco Unified Communications Manager Static Root SSH Credentials
CVSS Score: 10.0 (Critical)
Identifier: CVE-2025-20309
Exploit or POC: No known public exploit or PoC yet
Update: CVE-2025-20309 – Cisco Security Advisory
Description: CVE-2025-20309 is a critical vulnerability in Cisco Unified Communications Manager (Unified CM) and the Session Management Edition (SME) where the root account includes hard-coded, static SSH credentials that cannot be changed or removed. This design flaw allows any unauthenticated, remote attacker to log in with the root account and execute arbitrary commands as root. A successful exploit could lead to full device takeover, with the attacker able to modify configurations, intercept calls, introduce malware, or disrupt communications infrastructure.
Affected Versions:
- Unified CM and Unified CM SME Engineering Special (ES) releases 15.0.1.13010-1 through 15.0.1.13017-1
Mitigation Recommendation:
Upgrade to Unified CM and SME 15SU3 (July 2025) or apply the CSCwp27755 patch per Cisco's advisory.
After remediation, check /var/log/active/syslog/secure for root login entries as indicators of compromise.
Restrict SSH access to trusted management networks, implement access controls, and monitor for unusual root activity.
Note: There are no available workarounds — only patching or upgrade fully addresses the vulnerability. Although no active exploits have been reported, the presence of static root access represents a critical risk to communications infrastructure, and timely action is strongly recommended.
