Cisco has eliminated a backdoor account from its Unified Communications Supervisor (Unified CM), which might have allowed distant attackers to log in to unpatched gadgets with root privileges.
Cisco Unified Communications Supervisor (CUCM), previously often known as Cisco CallManager, serves because the central management system for Cisco’s IP telephony techniques, dealing with name routing, gadget administration, and telephony options.
The vulnerability (tracked as CVE-2025-20309) was rated as most severity, and it’s attributable to static consumer credentials for the basis account, which have been supposed to be used throughout improvement and testing.
In line with a Cisco safety advisory launched on Wednesday, CVE-2025-20309 impacts Cisco Unified CM and Unified CM SME Engineering Particular (ES) releases 15.0.1.13010-1 by means of 15.0.1.13017-1, whatever the gadget configuration.
The corporate added that there aren’t any workarounds that deal with the vulnerability. Admins can solely repair the flaw and take away the backdoor account by upgrading weak gadgets to Cisco Unified CM and Unified CM SME 15SU3 (July 2025) or by making use of the CSCwp27755 patch file accessible right here.
“A vulnerability in Cisco Unified Communications Supervisor (Unified CM) and Cisco Unified Communications Supervisor Session Administration Version (Unified CM SME) may permit an unauthenticated, distant attacker to log in to an affected gadget utilizing the basis account, which has default, static credentials that can not be modified or deleted,” Cisco defined.
Following profitable exploitation, attackers may achieve entry to the weak techniques and execute arbitrary instructions with root privileges.
Whereas the Cisco Product Safety Incident Response Staff (PSIRT) will not be but conscious of proof-of-concept code accessible on-line or exploitation in assaults, the corporate has launched indicators of compromise to assist establish impacted gadgets.
As Cisco acknowledged, exploitation of CVE-2025-20309 would lead to a log entry to /var/log/energetic/syslog/safe for the basis consumer with root permissions. Since logging of this occasion is enabled by default, admins can retrieve the logs to search for exploitation makes an attempt by working the next command from the command line: file get activelog syslog/safe.
That is removed from the primary backdoor account Cisco needed to take away from its merchandise in recent times, with earlier hardcoded credentials present in its IOS XE, Broad Space Utility Companies (WAAS), Digital Community Structure (DNA) Heart, and Emergency Responder software program.
Extra lately, Cisco warned admins in April to patch a crucial Cisco Good Licensing Utility (CSLU) vulnerability that exposes a built-in backdoor admin account utilized in assaults. One month later, the corporate eliminated a hardcoded JSON Internet Token (JWT) that enables unauthenticated distant attackers to take over IOS XE gadgets.
Whereas cloud assaults could also be rising extra subtle, attackers nonetheless succeed with surprisingly easy strategies.
Drawing from Wiz’s detections throughout 1000’s of organizations, this report reveals 8 key strategies utilized by cloud-fluent menace actors.
