Source: BleepingComputer
Author: Sergiu Gatlan
URL: https://www.bleepingcomputer.com/news/security/cisco-removes-unified-cm-callManager-backdoor-root-account/
ONE SENTENCE SUMMARY:
Cisco has patched a critical backdoor vulnerability (CVE-2025-20309) in Unified Communications Manager allowing attackers remote root access.
MAIN POINTS:
- Cisco Unified CM had a critical backdoor root account vulnerability identified as CVE-2025-20309.
- The vulnerability arises from static, default credentials used during development and testing.
- CVE-2025-20309 affects Unified CM and SME Engineering Special releases 15.0.1.13010-1 to 15.0.1.13017-1.
- Exploitation allows unauthenticated attackers root-level remote access to affected systems.
- No workarounds exist; admins must upgrade or apply the CSCwp27755 security patch.
- Cisco provided indicators of compromise to assist detection and response efforts.
- Successful exploitation creates log entries under /var/log/active/syslog/secure accessible by admins.
- Cisco previously experienced similar backdoor vulnerabilities in IOS XE, DNA Center, and Emergency Responder.
- Earlier this year, Cisco patched similar issues in Smart Licensing Utility and IOS XE devices.
- No current evidence indicates active exploitation or available proof-of-concept code online.
TAKEAWAYS:
- Immediately apply the Cisco-provided security patch or upgrade to mitigate this severe vulnerability.
- Regularly check logs at /var/log/active/syslog/secure for suspicious root user activities.
- Stay vigilant for security advisories from Cisco regarding hardcoded credential vulnerabilities.
- Maintain awareness that even reputable products may have hidden backdoor accounts.
- Prioritize patch management to rapidly address high-severity vulnerabilities in critical infrastructure.