Overview

CVE: CVE-2025-20309
Severity: CRITICAL
Score: 10.0
Date: 3 July 2025

A critical vulnerability (CVE-2025-20309, CVSS 10.0) has been identified in Cisco Unified Communications Manager (Unified CM) and Session Management Edition (Unified CM SME). This flaw allows an unauthenticated, remote attacker to log in as root using static, hardcoded credentials present for development purposes. These credentials cannot be changed or deleted. Successful exploitation provides full root access, enabling arbitrary command execution on the affected system

 

Affected Versions

Engineering Special (ES) versions 15.0.1.13010-1 through 15.0.1.13017-1

 

Mitigation

  • Upgrade to Cisco Unified CM and Unified CM SME 15SU3 (July 2025) or apply the CSCwp27755 patch
  • Review Cisco’s official security advisory for further details and patch instruction

 

Summary for IT Teams

  • Products: Cisco Unified Communications Manager (Unified CM, SME)
  • Threat Level: CRITICAL
  • Action:
    • Immediately patch affected systems or upgrade to 15SU3
    • Audit access logs for unexpected root login attempts
    • Disable remote access if patching is delayed

References

 

Need Help?

If your organisation requires assistance identifying affected systems, applying updates or adjusting controller configurations, our team is here to help. Email us via soc@secure-iss.com for assistance.