June 30, 2025 — Cisco has released a critical security patch addressing a severe vulnerability identified in its Unified Communications Manager (Unified CM) and the Session Management Edition (Unified CM SME).
Identified as CVE-2025-20309, the vulnerability carries the highest possible CVSS severity rating of 10.0, underscoring its critical nature. If exploited, it could give an intruder complete access to a system with full administrative rights.
Cisco traced the issue back to test credentials that were never meant to be shipped with the final product. These hardcoded login details, left over from the development phase, were supposed to be removed before deployment. But in certain versions, they remained active, allowing anyone who knows them to log in as the system’s highest-level user and run any command they want.
“The credentials were intended for internal testing and were never meant to be left active in production,” the company noted in its disclosure.
Cisco emphasized that this vulnerability affects Unified CM and Unified CM SME versions 15.0.1.13010-1 through 15.0.1.13017-1, regardless of specific device configurations. Fortunately, the company said that no evidence has been found suggesting the flaw has been exploited in the wild. The bug was flagged during routine internal security assessments.
Wider Risks in Enterprise Environments
Tools like Unified CM serve as a backbone for enterprise voice communications, routing calls, and handling user identity across large networks. With root access, an intruder isn’t just limited to the affected system—they could potentially explore deeper parts of a company’s infrastructure. That level of control might let them monitor internal voice communications, alter how users connect, or even pivot across systems to reach confidential data stored elsewhere on the network.
To help administrators spot potential misuse, Cisco shared guidance for checking system logs. One of the key locations to review is the secure log file, which may show login events tied to the root account. The log can be accessed with the following CLI command:
cucm1# file get activelog syslog/secure
A successful breach would generate a log entry in the syslog/secure file for a root-level login, which could act as an indicator of compromise (IoC).
More Patches Following Recent ISE Flaws
This latest update arrives shortly after Cisco addressed two other serious vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector, both of which also involved risks of unauthenticated root-level command execution (CVE-2025-20281 and CVE-2025-20282).
With multiple critical flaws emerging in core Cisco systems this month, security professionals are urged to verify deployments immediately and apply the necessary patches without delay.
