CVE-2025-20309

Name of the Vulnerable Software and Affected Versions Cisco Unified Communications Manager (Unified CM) versions 15.0.1.13010-1 through 15.0.1.13017-1 Cisco Unified Communications Manager Session Management Edition (Unified CM SME) versions 15.0.1.13010-1 through 15.0.1.13017-1

Description A vulnerability exists in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) that could allow an unauthenticated, remote attacker to log in to an affected device using the root account. This is due to the presence of static, hardcoded credentials for the root account, which were reserved for development purposes and cannot be modified or deleted. Successful exploitation could grant the attacker root access and the ability to execute arbitrary commands on the system. This vulnerability is actively exploited.

Recommendations Update Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) to version 15SU3 or apply the CSCwp27755 patch immediately.