Thursday, July 3, 2025
Latest:
The Register

Cisco scores a perfect 10 – sadly for a critical flaw in its comms platform

TH Author

If you’re running the Engineering-Special (ES) builds of Cisco Unified Communications Manager or its Session Management Edition, you need to apply Cisco’s urgent patch after someone at Switchzilla made a big mistake.

Cisco Unified Communications Manager (CM) consolidates IP telephony, high-definition video, unified messaging, instant messaging, and Presence status indicators. Its Session Management Edition centralizes dial-plan and trunk aggregation across multi-site deployments.

However, the ES builds of both packages have hardcoded credentials baked in, and they cannot be changed or deleted, meaning an unauthenticated, remote attacker can quickly get themselves full root control of a system if they know where to look. There’s no workaround, and the only solution is to upgrade to the newest code for Unified CM, Cisco said.

There is an ostensible purpose behind the mistake, dubbed CVE-2025-20309, with a critical rating of 10.0. The credentials have been left in there to make development work easier, Cisco said in its advisory. However, if the attacker identifies the development account, then they can use these credentials and gain root – and then it’s game over for users.

The affected packages are Cisco Unified CM and Unified CM SME Engineering Special releases 15.0.1.13010-1 through 15.0.1.13017-1, and admins can find the patch needed to fix the issue here. If you want the ES patch, however, you need to go to your Cisco Technical Assistance Center account to get the fix.

To check if some malicious actor has already had a go at this, admins need to look for a log entry in

/var/log/active/syslog/secure

by using the

cucm1# file get activelog syslog/secure

command in the command line. Admins can then check if someone has been inside the system with sshd daemon and a successful SSH login as root – if so, that’s a parade of red flags.

Security staff at Cisco have got to be feeling nervous for their jobs at the moment – this is the second CVSS 10 flaw in a week and the third critical. On June 26, Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector were fixed, one an (im)perfect 10 and the other just a CVSS 9.8. Admins, and Cisco itself, better get busy locking down their systems. ®

READ MORE HERE