- Login -AdIritimation information for an account with Rod access was found in CISCOS UNIFIED Communications Manager
- There are no solutions just a patch so users need to update now
- Different versions of the tool are affected
Another hard -coded credentials for admin -access have been discovered in a larger software application -this time it is Cisco who discovered slip -up in his unified communications manager (unified cm) solution.
Cisco Unified CM is an IP-telephony call control platform in the company that delivers voice, video, messaging, mobility and presence. It manages Voice-OR (VOIP) calls and allows for managing tasks such as user/device’s delivery, voicemail integration, conferences and more.
Recently, Cisco Login -Legitimation information encoded the program, enabling access to root privileges. The error is now traced as CVE-2025-20309 and got a maximum difficulty-degree-10/10 (critical). The circuits were apparently used during development and testing, and should have been removed before the product was sent to the market.
No evidence of abuse
Cisco Unified CM and Unified cm SME Engineering Special (ES) releases 15.0.1.13010-1 to 15.0.1.13017-1 is said to be affected, regardless of the unit configuration. There are no solutions or mitigation, and the only way to tackle it is to upgrade the program to version 15SU3 (July 2025).
“A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could provide an unauthorized, remote -long to log in to an affected device using the root account which has standard, static legitimate information that cannot be changed,
At the time of the press, there was no evidence of abuse in nature.
Hard -coded credentials are one of the more common causes of system infiltration. Recently, Sitecore Experience Platform, a Content Management System at company level (CMS), held a hard -codeed password for an internal user. It was only a letter – ‘B’ – which was super easy to guess.
For approx. A year ago, security researchers from Horizon3.AI found hard -coded credentials in Solarwinds’ Web Help Desk.
Via Bleeping computer
