Cisco warns of a serious security flaw in comms platform - and that it needs patching immediately

3 weeks ago 16

Image Credit: Pixabay (Image credit: Image Credit: Geralt / Pixabay)

Login credentials for an account with root access was found in Cisco's Unified Communications Manager
There are no workarounds, just a patch, so users should update now
Different versions of the tool are affected

Another hardcoded credential for admin access has been discovered in a major software application - this time around it’s Cisco, who discovered the slip-up in its Unified Communications Manager (Unified CM) solution.

Cisco Unified CM is an enterprise-grade IP telephony call control platform providing voice, video, messaging, mobility, and presence services. It manages voice-over-IP (VoIP) calls, and allows for the management of tasks such as user/device provisioning, voicemail integration, conferencing, and more.

Recently, Cisco found login credentials coded into the program, allowing for access with root privileges. The bug is now tracked as CVE-2025-20309, and was given a maximum severity score - 10/10 (critical). The credentials were apparently used during development and testing, and should have been removed before the product was shipped to the market.

No evidence of abuse

Cisco Unified CM and Unified CM SME Engineering Special (ES) releases 15.0.1.13010-1 through 15.0.1.13017-1 were said to be affected, regardless of the device configuration. There are no workarounds or mitigations, and the only way to address it is to upgrade the program to version 15SU3 (July 2025).

“A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted," Cisco said.

At press time, there was no evidence of abuse in the wild.

Hardcoded credentials are one of the more common causes of system infiltrations. Just recently Sitecore Experience Platform, an enterprise-level content management system (CMS), held a hardcoded password for an internal user. It was just one letter - ‘b’ - which was super easy to guess.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Roughly a year ago, security researchers from Horizon3.ai found hardcoded credentials in SolarWinds’ Web Help Desk.

Via BleepingComputer

New Chrome flaw leaks sensitive information across websites - your data could already be in the wrong hands
Take a look at our guide to the best authenticator app
We've rounded up the best password managers

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read Entire Article