Cisco Unified Communications Manager Static SSH Credentials Vulnerability (CVE-2025-20309)

Posted by Author Diksha Ojha on Posted on

Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) are vulnerable to a hardcoded root SSH credential vulnerability tracked as CVE-2025-20309. The vulnerability has a critical severity rating with a CVSS score of 10. An attacker may exploit the vulnerability to log in to the affected system and execute arbitrary commands as the root user.

Cisco mentioned in the advisory that they are unaware of any public announcements or malicious use of the vulnerability.

Cisco Unified Communications Manager (CUCM) is a call processing and session management platform that enables enterprises to manage voice, video, messaging, and other collaboration services across various devices and locations. It is the central control system for Cisco’s unified communications solutions, facilitating communication and collaboration for hybrid workforces.

Vulnerability Details

This vulnerability originates because the root account’s static user credentials are reserved for use during development. An attacker may exploit this vulnerability by using the account to log in to an affected system.

Upon successful exploitation, an unauthenticated, remote attacker may log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted.

Indicators of Compromise

A log entry to /var/log/active/syslog/secure for the root user with root permissions would confirm the successful exploitation. Logging of this event is enabled by default.

Users can run the following command from the CLI to retrieve the logs:

cucm1# file get activelog syslog/secure

Affected Versions

This vulnerability affects Cisco Unified CM and Unified CM SME Engineering Special (ES) releases 15.0.1.13010-1 through 15.0.1.13017-1, regardless of device configuration.

Note: ES releases are limited; fixed releases are distributed only by the Cisco Technical Assistance Center (TAC).

Mitigation

Cisco provides two ways to patch the vulnerability:

  1. Upgrade to Cisco Unified CM and Unified CM SME Release version 15US3

or

  1. Apply the patch: ciscocm.CSCwp27755_D0247-1.cop.sha512

Customers can refer to the Cisco Security Advisory ( cisco-sa-cucm-ssh-m4UBdpE7) for information about patches released for the vulnerability.

Qualys Detection

Qualys customers can scan their devices with QID 317668 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssh-m4UBdpE7

Leave a Reply

Your email address will not be published. Required fields are marked *