Cisco warns of a serious security flaw in comms platform - and that it needs patching immediately

News
By published

Researchers found hardcoded credentials in Cisco Unified Communications Manager

cybersecurity
Image Credit: Pixabay (Image credit: Image Credit: Geralt / Pixabay)
  • Login credentials for an account with root access was found in Cisco's Unified Communications Manager
  • There are no workarounds, just a patch, so users should update now
  • Different versions of the tool are affected

Another hardcoded credential for admin access has been discovered in a major software application - this time around it’s Cisco, who discovered the slip-up in its Unified Communications Manager (Unified CM) solution.

Cisco Unified CM is an enterprise-grade IP telephony call control platform providing voice, video, messaging, mobility, and presence services. It manages voice-over-IP (VoIP) calls, and allows for the management of tasks such as user/device provisioning, voicemail integration, conferencing, and more.

Recently, Cisco found login credentials coded into the program, allowing for access with root privileges. The bug is now tracked as CVE-2025-20309, and was given a maximum severity score - 10/10 (critical). The credentials were apparently used during development and testing, and should have been removed before the product was shipped to the market.

Get 55% off Incogni's Data Removal service with code TECHRADAR

Get 55% off Incogni's Data Removal service with code TECHRADAR

Wipe your personal data off the internet with the Incogni data removal service. Stop identity thieves
and protect your privacy from unwanted spam and scam calls.

View Deal

No evidence of abuse

Cisco Unified CM and Unified CM SME Engineering Special (ES) releases 15.0.1.13010-1 through 15.0.1.13017-1 were said to be affected, regardless of the device configuration. There are no workarounds or mitigations, and the only way to address it is to upgrade the program to version 15SU3 (July 2025).

“A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted," Cisco said.

At press time, there was no evidence of abuse in the wild.

Hardcoded credentials are one of the more common causes of system infiltrations.

Recently Sitecore Experience Platform, an enterprise-level content management system (CMS), was found to have held a hardcoded password for an internal user which was just one letter - ‘b’ - making it incredibly easy to guess.

And in August 2024, security researchers from Horizon3.ai found hardcoded credentials had been left in SolarWinds’ Web Help Desk product.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.