Cisco has removed a backdoor account from its Integrated Communications Manager (Integrated CM), allowing remote attackers to log in to unprotected devices with root privileges.
The Cisco Unified Communications Manager (CUCM), earlier known as Cisco Colmenagar, serves as a central control system for Cisco’s IP telephony system, handles call routing, device management and telephony features.
Vulnerable Cve-2025-20309)) The maximum seriousness was given status, and it is caused by stable user credentials for the root account, which was done for use and use during testing.
According to a Cisco Security Advisor released on Wednesday, the CVE-2025-20309 Cisco Unified CM and the Unified CM SME SME Engineering Special (ES), which releases 15.0.1.1301010-1 through 15.0.1.13017-1 regardless of the device configuration.
The company said that there are no workarounds addressing vulnerability. Admins can only fix the defects and remove the backdoor account by upgrading the weak equipment in Cisco Unified CM and Unified CM SME 15SU3 (July 2025) or by applying CSCWP27755 patch file Available here,
“Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Sessions Management Edition (Unified CM SME) a vulnerability can allow an informal, remote attacker to allow a route to log into an affected device using the route. Account, which has default, static credentials that cannot be changed or removed, “Cisco Explained,
After successful exploitation, the attackers can gain access to weak systems and perform arbitrary orders with root privileges.
While the Cisco product safety incident reaction team (PSIRT) is yet to know about the evidence-off-concept code available in attacks or exploitation, the company has issued indicators of agreement to help identify the affected equipment.
As Cisco said, the exploitation of CVE-2025-20309 will result in a log entry to the root user/VAR/Log/Active/Syslog/secure with root permissions as a result of exploitation. Since this event has been enabled by logging default, the admins can retrieve the log to see the exploitation efforts by running the following command from the command line: file get activelog syslog/secure,
It is far away from the first backdoor account Cisco was to be removed from its products in recent years, with previous hardcoded credentials with its iOS XE, Wide Area Application Services (WAAS), Digital Network Architecture (DNA) centers and emergency respondents found in the summer software.
Recently, Cisco warned in April to patch an important Cisco Smart License Utility (CSLU) vulnerability in April, which highlights an inherent backdoor administrator account used in attacks. A month later, the company removed a hardcoded JSON web token (JWT), which allows informal remote attackers to handle iOS XE devices.
While cloud attacks can be more sophisticated, the attackers still succeed with surprisingly simple techniques.
Drawing by the detection of Vij in thousands of organizations, this report reveals the 8 major techniques used by Claude-Floid danger actors.
