Cisco has eliminated a backdoor account from its Unified Communications Supervisor (Unified CM), which might have allowed distant attackers to log in to unpatched gadgets with root privileges.
Cisco Unified Communications Supervisor (CUCM), previously often called Cisco CallManager, serves because the central management system for Cisco’s IP telephony methods, dealing with name routing, system administration, and telephony options.
The vulnerability (tracked as CVE-2025-20309) was rated as most severity, and it’s brought on by static person credentials for the basis account, which have been meant to be used throughout improvement and testing.
Based on a Cisco safety advisory launched on Wednesday, CVE-2025-20309 impacts Cisco Unified CM and Unified CM SME Engineering Particular (ES) releases 15.0.1.13010-1 via 15.0.1.13017-1, whatever the system configuration.
The corporate added that there are not any workarounds that handle the vulnerability. Admins can solely repair the flaw and take away the backdoor account by upgrading weak gadgets to Cisco Unified CM and Unified CM SME 15SU3 (July 2025) or by making use of the CSCwp27755 patch file accessible right here.
“A vulnerability in Cisco Unified Communications Supervisor (Unified CM) and Cisco Unified Communications Supervisor Session Administration Version (Unified CM SME) might permit an unauthenticated, distant attacker to log in to an affected system utilizing the basis account, which has default, static credentials that can’t be modified or deleted,” Cisco defined.
Following profitable exploitation, attackers might acquire entry to the weak methods and execute arbitrary instructions with root privileges.
Whereas the Cisco Product Safety Incident Response Crew (PSIRT) will not be but conscious of proof-of-concept code accessible on-line or exploitation in assaults, the corporate has launched indicators of compromise to assist establish impacted gadgets.
As Cisco said, exploitation of CVE-2025-20309 would lead to a log entry to /var/log/energetic/syslog/safe for the basis person with root permissions. Since logging of this occasion is enabled by default, admins can retrieve the logs to search for exploitation makes an attempt by operating the next command from the command line: file get activelog syslog/safe.
That is removed from the primary backdoor account Cisco needed to take away from its merchandise in recent times, with earlier hardcoded credentials present in its IOS XE, Broad Space Software Companies (WAAS), Digital Community Structure (DNA) Heart, and Emergency Responder software program.
Extra lately, Cisco warned admins in April to patch a essential Cisco Sensible Licensing Utility (CSLU) vulnerability that exposes a built-in backdoor admin account utilized in assaults. One month later, the corporate eliminated a hardcoded JSON Net Token (JWT) that permits unauthenticated distant attackers to take over IOS XE gadgets.
Whereas cloud assaults could also be rising extra subtle, attackers nonetheless succeed with surprisingly easy methods.
Drawing from Wiz’s detections throughout hundreds of organizations, this report reveals 8 key methods utilized by cloud-fluent menace actors.
