Static Credentials Flaw Patched in Cisco Systems
bankinfosecurityFlaw Exposes Remote Privilege Escalation Risk Prajeet Nair (@prajeetspeaks) • July 3, 2025
Cisco released urgent security updates to fix a critical vulnerability in Unified Communications Manager that could allow unauthenticated attackers gain root access to affected systems.
See Also: Beyond Replication & Versioning: Securing S3 Data in the Face of Advanced Ransomware Attacks
The maximum-severity vulnerability in Cisco's Unified CM and Session Management Edition allows unauthenticated remote attackers to log in as the root user using static development credentials, Cisco warned in a advisory.
The flaw, tracked as CVE-2025-20309, with a CVSS score of 10.0, stems from the inclusion of hardcoded root credentials in select engineering special builds of Unified CM 15.0.1.13010-1 through 15.0.1.13017-1. These static credentials, intended for development use, cannot be changed or removed by administrators, making exploitation trivial for attackers who obtain access.
Cisco Unified ...
Copyright of this story solely belongs to bankinfosecurity . To see the full text click HERE