Cisco Warns of Hardcoded Credentials in Enterprise Software

Cisco on Wednesday announced patches for a critical vulnerability in its Unified CM and Unified CM SME communication management software that could allow attackers to log in as the root account.

The issue, tracked as CVE-2025-20309 (CVSS score of 10/10), exists because the enterprise management tools contain default, static credentials that can not be removed or changed.

“This vulnerability is due to the presence of static user credentials for the root account that are reserved for use during development,” Cisco explains in its advisory.

An attacker could use the account to log in to a vulnerable system and execute arbitrary commands with root privileges, the tech giant warns.

Unified CM and Unified CM SME Engineering Special (ES) versions 15.0.1.13010-1 through 15.0.1.13017-1 are affected, regardless of the device’s configuration.

Cisco has released a path file that addresses the issue and will include the ...