CVE-2025-20309 (CVSS 10): Cisco Patches Critical Static SSH Root Credential Flaw in Unified CM

Cisco has disclosed a critical vulnerability in its Unified Communications Manager (Unified CM) and Session Management Edition (SME) platforms. Tracked as CVE-2025-20309 and rated CVSS 10, the flaw exposes affected devices to unauthenticated remote access via static root credentials—credentials that cannot be changed or deleted.

“This vulnerability is due to the presence of static user credentials for the root account that are reserved for use during development,” the Cisco advisory explains.

This vulnerability affects Cisco Unified CM and Unified CM SME Engineering Special (ES) releases 15.0.1.13010-1 through 15.0.1.13017-1, regardless of device configuration.

In the simplest terms: a remote attacker, with no prior authentication, can log into a vulnerable device as root—the highest privilege level on a Unix-based system. Once in, they can execute arbitrary commands, fully compromising the integrity and availability of the affected communications platform.

“A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.”

While no known exploitation in the wild has been observed, this vulnerability represents a critical supply-chain oversight—development-stage credentials accidentally shipped into production.

Cisco provides guidance on identifying possible indicators of compromise (IoCs) using the system logs:

If you find an entry in /var/log/active/syslog/secure that shows a root-level SSH login, it could signal exploitation. For example:

Apr 6 10:38:43 cucm1 authpriv 6 sshd: pam_unix(sshd:session): session opened for user root by (uid=0)

To retrieve relevant logs, Cisco advises running:

file get activelog syslog/secure

Cisco has issued a fix in the form of a Service Update (15SU3), released in July 2025, and also offers a patch file. Cisco urges customers running affected ES releases to apply the patch immediately or upgrade to a non-vulnerable version.

Related Posts:

• CVE-2025-31103: Zero-Day Vulnerability Discovered in a-blog cms, Act Now to Protect Your Web Server
• High-Risk Flaws in a-blog cms: CVE-2025-36560 Scores Critical 9.2 on CVSS Scale
• Privilege Escalation Flaws in Cisco Unified Intelligence Center Threaten User Data Integrity
• Google Launches Unified Security Powered by Gemini AI, Enhances Enterprise Protection
• Critical Cisco ISE Cloud Vulnerability (CVSS 9.9) with PoC Exploit Threatens AWS, Azure, OCI

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.