- Login credentials for an account with root entry was present in Cisco’s Unified Communications Supervisor
- There are not any workarounds, only a patch, so customers ought to replace now
- Totally different variations of the software are affected
One other hardcoded credential for admin entry has been found in a serious software program utility – this time round it’s Cisco, who found the slip-up in its Unified Communications Supervisor (Unified CM) resolution.
Cisco Unified CM is an enterprise-grade IP telephony name management platform offering voice, video, messaging, mobility, and presence companies. It manages voice-over-IP (VoIP) calls, and permits for the administration of duties similar to person/machine provisioning, voicemail integration, conferencing, and extra.
Lately, Cisco discovered login credentials coded into this system, permitting for entry with root privileges. The bug is now tracked as CVE-2025-20309, and was given a most severity rating – 10/10 (crucial). The credentials had been apparently used throughout growth and testing, and may have been eliminated earlier than the product was shipped to the market.
No proof of abuse
Cisco Unified CM and Unified CM SME Engineering Particular (ES) releases 15.0.1.13010-1 by 15.0.1.13017-1 had been mentioned to be affected, whatever the machine configuration. There are not any workarounds or mitigations, and the one strategy to tackle it’s to improve this system to model 15SU3 (July 2025).
“A vulnerability in Cisco Unified Communications Supervisor (Unified CM) and Cisco Unified Communications Supervisor Session Administration Version (Unified CM SME) might enable an unauthenticated, distant attacker to log in to an affected machine utilizing the basis account, which has default, static credentials that can’t be modified or deleted,” Cisco mentioned.
At press time, there was no proof of abuse within the wild.
Hardcoded credentials are one of many extra widespread causes of system infiltrations. Only recently Sitecore Expertise Platform, an enterprise-level content material administration system (CMS), held a hardcoded password for an inner person. It was only one letter – ‘b’ – which was tremendous straightforward to guess.
Roughly a yr in the past, safety researchers from Horizon3.ai discovered hardcoded credentials in SolarWinds’ Net Assist Desk.
Through BleepingComputer
