"A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted," Cisco explained. Cisco has removed a backdoor account from its Unified Communications Manager (Unified CM), which would have allowed remote attackers to log in to unpatched devices with root privileges. Admins can only fix the flaw and remove the backdoor account by upgrading vulnerable devices to Cisco Unified CM and Unified CM SME 15SU3 (July 2025) or by applying the CSCwp27755 patch file available here. Cisco Unified Communications Manager (CUCM), formerly known as Cisco CallManager, serves as the central control system for Cisco's IP telephony systems, handling call routing, device management, and telephony features. This is far from the first backdoor account Cisco had to remove from its products in recent years, with previous hardcoded credentials found in its IOS XE, Wide Area Application Services (WAAS), Digital Network Architecture (DNA) Center, and Emergency Responder software. While the Cisco Product Security Incident Response Team (PSIRT) is not yet aware of proof-of-concept code available online or exploitation in attacks, the company has released indicators of compromise to help identify impacted devices. More recently, Cisco warned admins in April to patch a critical Cisco Smart Licensing Utility (CSLU) vulnerability that exposes a built-in backdoor admin account used in attacks. According to a Cisco security advisory released on Wednesday, CVE-2025-20309 affects Cisco Unified CM and Unified CM SME Engineering Special (ES) releases 15.0.1.13010-1 through 15.0.1.13017-1, regardless of the device configuration.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 02 Jul 2025 17:10:16 +0000