Cisco has released a high-severity security advisory confirming the removal of a hardcoded root account from its Unified Communications Manager (Unified CM) after discovering that attackers could exploit it for remote, unauthenticated access with full system privileges.
Critical Root Access Vulnerability Discovered in Cisco Unified CM
The vulnerability, tracked as CVE-2025-20309, affects Unified CM and Unified CM Session Management Edition (SME) systems in engineering special (ES) releases 15.0.1.13010-1 through 15.0.1.13017-1. The flaw was caused by static credentials for the root user—credentials that were hardcoded during development and couldn’t be altered or removed through standard configuration.
Cisco explains:
“A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted.”
If exploited successfully, attackers could gain root-level command access, allowing full control of the device, manipulation of telephony features, or even pivoting deeper into internal networks.
No Workaround Available—Immediate Patching Required
Cisco has confirmed that no workaround exists to mitigate the vulnerability. The only way to fully resolve the issue is by updating to Unified CM and Unified CM SME 15SU3 (July 2025) or by applying the CSCwp27755 patch file. Until patched, systems remain vulnerable to remote compromise.
While Cisco PSIRT (Product Security Incident Response Team) has seen no current signs of active exploitation or publicly available proof-of-concept (PoC) code, the company has issued indicators of compromise (IOCs) to help administrators detect potential abuse.
Admins can run the following command to inspect logs for signs of exploitation:
arduinoCopyEditfile get activelog syslog/secure
Successful login attempts by the root user will be logged to /var/log/active/syslog/secure.
Part of a Broader Pattern of Hardcoded Credential Disclosures
This isn’t the first time Cisco has had to remove hardcoded credentials from its products. Over the past few years, similar issues were reported in:
- IOS XE Software
- Wide Area Application Services (WAAS)
- Cisco DNA Center
- Cisco Emergency Responder
- Cisco Smart Licensing Utility (CSLU)
In each case, static admin or root credentials posed a serious security threat—either enabling attackers to bypass authentication, hijack sessions, or maintain persistence on enterprise systems.
In May 2025, Cisco also disclosed a flaw involving a hardcoded JWT (JSON Web Token) in IOS XE software that allowed unauthenticated attackers to remotely take control of devices.
Ensuring Business Continuity After a Backdoor Incident
While Cisco has acted swiftly to patch this vulnerability, any organization running vulnerable Unified CM builds should treat this disclosure as a serious risk. If attackers were to exploit this backdoor, they could execute commands at the highest level of privilege—disrupting communications infrastructure and potentially exposing sensitive VoIP or collaboration data.
In such high-risk scenarios, having resilient, air-gapped recovery systems is not just recommended—it’s necessary.
Looking for a trusted recovery solution?
Defend your organization with StoneFly DR365—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.
