The second max score this week for Netzilla - not a good look

If you're running the Engineering-Special (ES) builds of Cisco Unified Communications Manager or its Session Management Edition, you need to apply Cisco's urgent patch after someone at Switchzilla made a big mistake.

Cisco Unified Communications Manager (CM) consolidates IP telephony, high-definition video, unified messaging, instant messaging, and Presence status indicators. Its Session Management Edition centralizes dial-plan and trunk aggregation across multi-site deployments.

However, the ES builds of both packages have hardcoded credentials baked in, and they cannot be changed or deleted, meaning an unauthenticated, remote attacker can quickly get themselves full root control of a system if they know where to look. There's no workaround, and the only solution is to upgrade to the newest code for Unified CM, Cisco said.

There is an ostensible purpose behind the mistake, dubbed CVE-2025-20309, with a critical rating of 10.0. The credentials have been left in there to make ...