Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Critical

Hard-coded root SSH credentials in Cisco Unified CM and Unified CM SME

IdentifiersCVE-2025-20309CWE-798· Use of Hard-coded Credentials

CVE-2025-20309 is a critical vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME). The issue is caused by static, hard-coded credentials for the root account that were reserved for development use but remained present in affected production software. These credentials cannot be changed or deleted by administrators. An unauthenticated remote attacker can exploit the flaw by connecting to the affected system over SSH and authenticating with the embedded root credentials. Successful exploitation results in direct root shell access and the ability to execute arbitrary commands on the underlying operating system.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation gives an unauthenticated remote attacker root-level access to the affected device, resulting in full compromise of the system. This includes the ability to execute arbitrary commands as root and a complete loss of confidentiality, integrity, and availability on the affected Unified CM or Unified CM SME instance.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting SSH access to trusted administrative networks only, closely monitoring for suspicious SSH activity, and specifically reviewing logs for root SSH logins. The content notes that indicators can be checked in /var/log/active/syslog/secure and via Cisco log retrieval such as "file get activelog syslog/secure". Increase alerting on unexpected root access and failed or anomalous SSH authentication attempts. These measures are compensating controls only and do not remove the vulnerable backdoor account.

Remediation

Patch, then assume compromise.

Apply Cisco-provided software updates that remove the hard-coded root credentials. The provided content states that the only fix is to upgrade to version 15SU3 or apply Cisco patch CSCwp27755, and more generally to install Cisco security updates for affected Unified CM and Unified CM SME releases. Because patching does not remediate any prior compromise, organizations should also perform incident response and forensic review if unauthorized root access is suspected.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Cisco SystemsUnified Communications Managerapplication
Cisco SystemsUnified Communications Manager Session Management Editionapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

49 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

49 SOURCESView more in app
the hacker newsNews
Jun 4, 2026
Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public

A Cisco Unified CM vulnerability involving a hard-coded root SSH account left in from development.

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

A maximum-severity Cisco Unified CM / Unified CM SME issue that allows root login via static credentials, leading to elevated privileges.

Read more
help net securityNews
Jul 6, 2025
Week in review: Sudo local privilege escalation flaws fixed, Google patches actively exploited Chrome

A maximum-severity vulnerability in Cisco Unified Communications Manager and Session Management Edition due to default root credentials, allowing unauthenticated remote attackers to gain root access and execute arbitrary commands.

Read more
vulnuNews
Jul 4, 2025
🎓️ Vulnerable U | #123 - Top Industry Cybersecurity News

A critical hardcoded root SSH backdoor in Cisco Unified Communications Manager allows attackers to gain root access using static credentials that cannot be changed or deleted.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity43

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-20309
NVD
nvd.nist.gov/vuln/detail/CVE-2025-20309
MITRE CWE · CWE-798
Use of Hard-coded Credentials
Patch
sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssh-m4UBdpE7