Source: BleepingComputer
Author: Sergiu Gatlan
URL: https://www.bleepingcomputer.com/news/security/cisco-removes-unified-cm-callManager-backdoor-root-account/
-
ONE SENTENCE SUMMARY: Cisco has patched a critical backdoor vulnerability (CVE-2025-20309) in Unified Communications Manager allowing attackers remote root access.
-
MAIN POINTS:
-
Cisco Unified CM had a critical backdoor root account vulnerability identified as CVE-2025-20309.
-
The vulnerability arises from static, default credentials used during development and testing.
-
CVE-2025-20309 affects Unified CM and SME Engineering Special releases 15.0.1.13010-1 to 15.0.1.13017-1.
-
Exploitation allows unauthenticated attackers root-level remote access to affected systems.
-
No workarounds exist; admins must upgrade or apply the CSCwp27755 security patch.
-
Cisco provided indicators of compromise to assist detection and response efforts.
-
Successful exploitation creates log entries under /var/log/active/syslog/secure accessible by admins.
-
Cisco previously experienced similar backdoor vulnerabilities in IOS XE, DNA Center, and Emergency Responder.
-
Earlier this year, Cisco patched similar issues in Smart Licensing Utility and IOS XE devices.
-
No current evidence indicates active exploitation or available proof-of-concept code online.
-
TAKEAWAYS:
-
Immediately apply the Cisco-provided security patch or upgrade to mitigate this severe vulnerability.
-
Regularly check logs at /var/log/active/syslog/secure for suspicious root user activities.
-
Stay vigilant for security advisories from Cisco regarding hardcoded credential vulnerabilities.
-
Maintain awareness that even reputable products may have hidden backdoor accounts.
-
Prioritize patch management to rapidly address high-severity vulnerabilities in critical infrastructure.