Cisco Removes Critical Backdoor Account from Unified Communications Manager

by | Jul 3, 2025 | News

Cisco Removes Critical Backdoor Account from Unified Communications Manager

Post Views: 95




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

Cisco has patched a critical backdoor vulnerability (CVE-2025-20309) in its Unified Communications Manager (Unified CM) that could have allowed unauthenticated remote attackers to gain root access on affected systems using static credentials.

What’s Affected

  • Product: Cisco Unified CM and Unified CM Session Management Edition (SME)
  • Impacted Versions: 15.0.1.13010-1 through 15.0.1.13017-1 (Engineering Special releases)
  • Severity: Maximum (CVSS: 10.0)
  • Patch Available: 15SU3 (to be released July 2025) or patch file CSCwp27755

According to Cisco’s security advisory, the vulnerability stems from hardcoded root credentials—a static user account left in the system during development and testing, which cannot be deleted or changed by users.

“An unauthenticated, remote attacker could log in to an affected device using the root account, which has default, static credentials,” Cisco warned.

Successful exploitation would allow full root-level remote access, giving attackers the ability to execute arbitrary commands and compromise telephony infrastructure and internal communications.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses




Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Detection & Mitigation

There is no workaround. The only remediation is to upgrade to a fixed version or apply the available patch.

Admins can check for signs of compromise by reviewing logs:

file get activelog syslog/secure

Look for unauthorized login entries from the root user—Cisco confirms these events are logged by default under /var/log/active/syslog/secure.

Cisco’s Product Security Incident Response Team (PSIRT) says there’s no evidence of in-the-wild exploitation or public proof-of-concept code at this time. However, indicators of compromise have been provided for organizations to proactively check their environments.

Background & Context

Cisco Unified CM (formerly CallManager) is the core call routing and control platform for Cisco’s enterprise IP telephony solutions. It’s widely deployed in corporate, government, and critical infrastructure environments.

This marks yet another high-profile hardcoded credential issue for Cisco. Similar flaws have been found in:

  • Cisco IOS XE
  • Cisco WAAS
  • DNA Center
  • Emergency Responder
  • Smart Licensing Utility (CSLU) – patched in April 2025
  • JWT backdoor in IOS XE – removed in May 2025

These repeated discoveries underscore the ongoing risk of embedded development credentials making their way into production firmware.

Trending: Using Favicon for OSINT




Trending: Offensive Security Tool: Cybersecurity AI (CAI)

Recommendations

  • Enterprise Admins: Immediately patch or upgrade affected devices.
  • Audit Logs: Use Cisco’s recommended method to detect unauthorized root access.
  • Inventory Review: Check if any devices are running vulnerable versions and schedule updates.
  • Network Segmentation: Ensure Unified CM servers are not directly exposed to the internet.

Trending: FileFix Attack Abuses Windows File Explorer to Execute Hidden PowerShell Commands

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This