On July 2, 2025, Cisco released a security advisory detailing a maximum severity vulnerability (CVE-2025-20309) in Cisco Unified Communications Manager and Unified Communications Manager SME Engineering Special, caused by hard-coded root SSH credentials that cannot be changed or removed. Although this application is not typically exposed publicly on the internet, it may allow an unauthenticated threat actor with access to the management network to log in as root and execute arbitrary commands with full system privileges.
The advisory also provides indicators of compromise, including root SSH login details in system logs, to help detect potential exploitation. Cisco stated that there is no known exploitation of this vulnerability in the wild at this time, however the vulnerability will likely be exploited in the near future due to the low complexity of exploitation. Similar vulnerabilities in Cisco products have previously been exploited, such as CVE-2024-20439, a vulnerability in Cisco Smart Licensing Utility which was also caused by hard-coded credentials.
Recommendation
Upgrade to Latest Fixed Release
Arctic Wolf strongly recommends that customers running the following affected software upgrade to the latest fixed release.
| Product | Affected Version | Fixed Version |
| Cisco Unified CM and Unified CM SME Engineering Special (ES) | 15.0.1.13010-1 through 15.0.1.13017-1 | 15SU3 (July 2025) (Or apply the patch file) |
Note: Versions 12.5 and 14 are not vulnerable. Only the listed set of ES releases is vulnerable. No Service Updates (SUs) for any releases are affected.
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
References
Learn more about the Arctic Wolf Cyber Resilience Assessment.
Take a deep dive into NIST CSF 2.0 with our webinar, NIST CSF 2.0: A Blueprint for Operationalizing Risk Management Within Your Security Program.
