- Login credentials for an account with root access was found in Cisco's Unified Communications Manager
- There are no workarounds, just a patch, so users should update now
- Different versions of the tool are affected
Another hardcoded credential for admin access has been discovered in a major software application - this time around it’s Cisco, who discovered the slip-up in its Unified Communications Manager (Unified CM) solution.
Cisco Unified CM is an enterprise-grade IP telephony call control platform providing voice, video, messaging, mobility, and presence services. It manages voice-over-IP (VoIP) calls, and allows for the management of tasks such as user/device provisioning, voicemail integration, conferencing, and more.
Recently, Cisco found login credentials coded into the program, allowing for access with root privileges. The bug is now tracked as CVE-2025-20309, and was given a maximum severity score - 10/10 (critical). The credentials were apparently used during development and testing, and should have been removed before the product was shipped to the market.
No evidence of abuse
Cisco Unified CM and Unified CM SME Engineering Special (ES) releases 15.0.1.13010-1 through 15.0.1.13017-1 were said to be affected, regardless of the device configuration. There are no workarounds or mitigations, and the only way to address it is to upgrade the program to version 15SU3 (July 2025).
“A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted," Cisco said.
At press time, there was no evidence of abuse in the wild.
Hardcoded credentials are one of the more common causes of system infiltrations.
Recently Sitecore Experience Platform, an enterprise-level content management system (CMS), was found to have held a hardcoded password for an internal user which was just one letter - ‘b’ - making it incredibly easy to guess.
And in August 2024, security researchers from Horizon3.ai found hardcoded credentials had been left in SolarWinds’ Web Help Desk product.
Via BleepingComputer
You might also like
- New Chrome flaw leaks sensitive information across websites - your data could already be in the wrong hands
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
