Critical Vulnerability in Cisco Product Allows Unauthorized Access

Nguyễn Văn TrungNguyễn Văn Trung
2 min read

Details

Cisco has just issued a warning about a critical vulnerability – CVE-2025-20309 – affecting Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (SME). This vulnerability allows an unauthenticated attacker to access the system with root privileges through a default account that is hardcoded and cannot be changed or deleted.

  • CVE Code: CVE-2025-20309

  • Severity Level: High Risk (CVSS v3: 10)

  • Impact: Allows a remote attacker without authentication to log into the system with root privileges through the SSH port.

Affected Products

  • Cisco Unified CM and Unified CM SME Engineering Special (ES) versions from 15.0.1.13010-1 to 15.0.1.13017-1 are affected.
Cisco Unified CM & SME ReleaseFixed Version
12.5Not vulnerable
14Not vulnerable
15.0.1.13010-1 → 13017-115SU3 (07/2025) or apply patch: ciscocm.CSCwp27755_D0247-1.cop.sha512

Exploitation Potential and Indicators of Compromise (IoC)

This vulnerability allows an attacker to:

  • Access the system with root privileges

  • Install malware and gain unauthorized access to sensitive data

  • Move laterally to expand the attack within the internal system

Indicators of Compromise (IoC) include log records showing successful SSH login using the root account in the file /var/log/active/syslog/secure. Cisco advises customers to check their systems using the following CLI command:

  •       file get activelog syslog/secure

  • Successful exploitation will be recorded in the file /var/log/active/syslog/secure with an SSH login from the root user.

  • Example log indicating an Indicator of Compromise (IoC):

        Apr 6 10:38:43 xxx authpriv 6 sshd: pam_unix(sshd:session): session opened for user root by (uid=0)

Recommendations

FPT Threat Intelligence urgently recommends the following measures to address the vulnerability:

  1. Update the patch immediately:

    • Cisco has released an update to fix the affected products.

    • Visit the Cisco Security Advisory page to download the appropriate patch.

  2. Check and monitor SSH connections:

    • Review unusual SSH connections to the device.

    • Ensure there is no unauthorized access using static accounts.

  3. Disable SSH if not in use:

    • For systems that do not require SSH, disable it to reduce the attack surface.

  4. Reevaluate account management policies:

    • Avoid using hardcoded accounts.

    • Use strong authentication (multi-factor authentication) if possible.

  5. Enhance log monitoring and alerts:

    • Connect the system to SIEM to track unusual behavior.

    • Set up alerts for root access via SSH.

References

0
Subscribe to my newsletter

Read articles from Nguyễn Văn Trung directly inside your inbox. Subscribe to the newsletter, and don't miss out.

threat intelligenceCisco

Written by

Nguyễn Văn Trung
Nguyễn Văn Trung