Cisco has launched safety updates to deal with a maximum-severity safety flaw in Unified Communications Supervisor (Unified CM) and Unified Communications Supervisor Session Administration Version (Unified CM SME) that would allow an attacker to login to a inclined gadget as the basis person, permitting them to realize elevated privileges.
The vulnerability, tracked as CVE-2025-20309carries a CVSS rating of 10.0.
“This vulnerability is as a result of presence of static person credentials for the basis account which are reserved to be used throughout improvement,” Cisco stated in an advisory launched Wednesday.
“An attacker may exploit this vulnerability through the use of the account to log in to an affected system. A profitable exploit may permit the attacker to log in to the affected system and execute arbitrary instructions as the basis person.”
Hardcoded credentials like this often come from testing or fast fixes throughout improvement, however they need to by no means make it into reside techniques. In instruments like Unified CM that deal with voice calls and communication throughout an organization, root entry can let attackers transfer deeper into the community, pay attention to calls, or change how customers log in.
The networking gear main stated it discovered no proof of the flaw being exploited within the wild, and that it was found throughout inside safety testing.
CVE-2025-20309 impacts Unified CM and Unified CM SME variations 15.0.1.13010-1 by 15.0.1.13017-1, no matter gadget configuration.
Cisco has additionally launched indicators of compromise (IoCs) related to the flaw, stating profitable exploitation would end in a log entry to “/var/log/energetic/syslog/safe” for the basis person with root permissions. The log can retrieved by operating the beneath command from the command-line interface –
cucm1# file get activelog syslog/safe
The event comes merely days after the corporate fastened two safety flaws in Id Providers Engine and ISE Passive Id Connector (CVE-2025-20281 and CVE-2025-20282) that would allow an unauthenticated attacker to execute arbitrary instructions as the basis person.
#Important #Cisco #Vulnerability #Unified #Grants #Root #Entry #Static #Credentials
Azeem Rajpoot, the author behind This Blog, is a passionate tech enthusiast with a keen interest in exploring and sharing insights about the rapidly evolving world of technology.
With a background in Blogging, Azeem Rajpoot brings a unique perspective to the blog, offering in-depth analyses, reviews, and thought-provoking articles. Committed to making technology accessible to all, Azeem strives to deliver content that not only keeps readers informed about the latest trends but also sparks curiosity and discussions.
Follow Azeem on this exciting tech journey to stay updated and inspired.