Cisco on Wednesday announced patches for a critical vulnerability in its Unified CM and Unified CM SME communication management software that could allow attackers to log in as the root account.
The issue, tracked as CVE-2025-20309 (CVSS score of 10/10), exists because the enterprise management tools contain default, static credentials that can not be removed or changed.
“This vulnerability is due to the presence of static user credentials for the root account that are reserved for use during development,” Cisco explains in its advisory.
An attacker could use the account to log in to a vulnerable system and execute arbitrary commands with root privileges, the tech giant warns.
Unified CM and Unified CM SME Engineering Special (ES) versions 15.0.1.13010-1 through 15.0.1.13017-1 are affected, regardless of the device’s configuration.
Cisco has released a path file that addresses the issue and will include the fix in Unified CM and Unified CM SME release 15SU3, which is expected to roll out this month.
According to the company, successful exploitation of the bug should show a log entry for the root user in var/log/active/syslog/secure. Organizations should retrieve the logs to hunt for potential compromise. However, Cisco says it is not aware of this vulnerability being exploited in the wild.
On Wednesday, the tech giant also announced patches for three medium-severity vulnerabilities affecting Spaces Connector, Enterprise Chat and Email (ECE), and BroadWorks Application Delivery Platform, which could lead to privilege escalation and XSS attacks.
Cisco says it has not seen these security defects being exploited in attacks either. Additional information can be found on Cisco’s security advisories page.
