Cisco Issues Urgent Patch for Critical Unified CM Vulnerability (CVE-2025-20309)

Cisco has released a critical security advisory concerning a severe vulnerability in its Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (SME), labeled CVE-2025-20309. This issue has been given the highest possible CVSS score of 10.0, indicating extreme severity. The vulnerability originates from static root credentials embedded during development that were never removed before the product’s release.

These credentials cannot be changed or removed by administrators, which makes the affected systems vulnerable to unauthenticated remote access. If exploited, the vulnerability allows an attacker to log in remotely as the root user and execute commands with unrestricted system privileges. This threat applies regardless of the system's configuration, as long as the affected version is in use.

Cisco discovered this flaw during internal security testing, and as of the advisory release, there is no evidence of it being actively exploited in the wild. The vulnerability specifically affects Engineering Special (ES) versions distributed via Cisco’s Technical Assistance Center (TAC). The confirmed vulnerable versions include 15.0.1.13010-1 through 15.0.1.13017-1.

Versions 12.5 and 14 are not affected. Cisco has released a fixed version, 15SU3, available from July 2025. For those needing immediate action, Cisco has provided a patch file named ciscocm.CSCwp27755_D0247-1.cop.sha512 which can be applied to address the vulnerability.

Cisco has emphasized that there are no available workarounds. Users must apply the patch or upgrade to the secure version without delay. Organizations are strongly urged to verify the software versions in use, review SSH logs for unusual root access, and patch affected systems immediately.

This vulnerability underlines the dangers of leaving development-phase credentials within production systems. With the potential for full root access and no alternative mitigations, prompt action is necessary to avoid compromise. Cisco encourages all customers to treat this issue with urgency and ensure their communications systems remain secure.