Cisco has announced the release of security updates to rectify a critical vulnerability in its Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME). This flaw could allow an attacker to log into a vulnerable device as the root user, thereby gaining elevated privileges.
The vulnerability, identified as CVE-2025-20309, has a CVSS score of 10.0, indicating its maximum severity. According to Cisco’s advisory published on Wednesday, the issue stems from the presence of static user credentials intended for development purposes that remain active in live systems.
“This vulnerability is due to the presence of static user credentials for the root account that are reserved for use during development,” Cisco stated. “An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.”
Such hard-coded credentials, often resulting from testing or emergency fixes, should not be present in production systems. In applications like Unified CM that manage voice communication across organizations, root access can enable attackers to penetrate further into the network, eavesdrop on calls, or alter user login procedures.
Cisco confirmed that there is currently no evidence to suggest that this vulnerability has been exploited in real-world scenarios, as it was uncovered during internal security testing. The affected versions include Unified CM and Unified CM SME versions 15.0.1.13010-1 through 15.0.1.13017-1, regardless of device configuration.
Additionally, Cisco has provided indicators of compromise (IoCs) related to the vulnerability, indicating that a successful attack would generate a log entry in “\/var\/log\/active\/syslog\/secure” for the root user with root permissions. This log can be retrieved using the following command from the command-line interface:
cucm1# file get activelog syslog/secure.
This announcement follows closely on the heels of Cisco remedying two other security vulnerabilities in its Identity Services Engine and ISE Passive Identity Connector (CVE-2025-20281 and CVE-2025-20282), which also allowed unauthenticated attackers to execute arbitrary commands as root users.
