Cisco Removes Backdoor Account from Unified Communications Manager Amidst Critical SSH Credentials Vulnerability
Cisco has addressed a serious vulnerability in its Unified Communications Manager (Unified CM) digital communications technology, removing the backdoor account that was exploited by remote attackers. The issue, tracked as CVE-2025-20309 and rated at a CVSS score of 10, allows unauthenticated, remote attackers to log in to affected devices using hardcoded root credentials set during development.
Unified Communications Manager is a critical call processing system developed by Cisco for enterprise-level voice, video, messaging, and mobility communications. The vulnerability affects Cisco Unified CM and Session Management Edition (Unified CM SME) Engineering Special releases 15.0.1.13010-1 to 15.0.1.13017-1, regardless of configuration. This means that all affected devices are at risk if they fall within the specified release range.
Unfortunately, there is no workaround to address this vulnerability, and administrators are recommended to upgrade to an appropriate fixed software release immediately. However, it's worth noting that Cisco PSIRT (Platform Security Response Team) has not reported any attacks exploiting this vulnerability in the wild, which is a positive development.
The Vulnerability: A Critical Risk for Affected Devices
The vulnerability allows remote attackers to log in to affected systems using default, static credentials reserved for use during development. These credentials cannot be changed or deleted, making it possible for an attacker to access the system with full root privileges and run any command. No authentication is needed, which amplifies the risk of exploitation.
With this vulnerability, an attacker can potentially execute arbitrary commands as the root user, compromising the entire device. This poses a significant threat to affected devices, emphasizing the importance of upgrading to a fixed software release as soon as possible.
Cisco's Response: Removing the Backdoor Account
To address this critical vulnerability, Cisco has removed the backdoor account from its Unified Communications Manager (Unified CM). This action should provide an additional layer of security for affected devices.
However, administrators must take proactive steps to secure their systems by upgrading to a fixed software release. Only the listed set of ES releases is vulnerable, and no Service Updates (SUs) for any releases are affected. Cisco provides Indicators of Compromise (IoCs) for detecting devices potentially affected by the recent vulnerability.
To check if your device has been compromised, use the CLI command: Look for entries showing both sshd and a root login session in the system log (/var/log/active/syslog/secure). This logging is enabled by default, providing an early warning system to detect potential attacks.
Stay Safe with Cisco
Cisco's proactive response to this vulnerability demonstrates its commitment to security. As users and administrators, it's crucial to stay informed about potential threats and take steps to protect our systems.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon for the latest cybersecurity news and updates.