Cisco has recently removed a backdoor account from its Unified Communications Manager (Unified CM), which posed a significant security risk by allowing remote attackers to access unpatched devices with root privileges.
The vulnerability, designated as CVE-2025-20309, has been rated at maximum severity and stemmed from the use of static user credentials for the root account initially meant for development and testing purposes. This flaw affects versions 15.0.1.13010-1 through 15.0.1.13017-1 of Cisco Unified CM and Unified CM SME Engineering Special (ES) releases, regardless of device configuration.
In a security advisory published on Wednesday, Cisco indicated that no immediate workarounds are available to mitigate this vulnerability. The only remedy is for administrators to upgrade their systems to the latest version of Cisco Unified CM or apply a specific patch here. Failure to address this vulnerability could enable unauthorized remote access, placing sensitive systems at risk.
Cisco further elaborated that exploitation of CVE-2025-20309 could allow an unauthenticated attacker to gain root access to affected devices, which would enable them to execute arbitrary commands. Although there are currently no known proofs-of-concept or reports of exploitation, Cisco’s Product Security Incident Response Team (PSIRT) has released indicators of compromise for device identification.
Security professionals can leverage default logging features to identify potential exploitation attempts by checking logs at /var/log/active/syslog/secure. As Cisco indicated, logs indicate such access attempts by default, making detection procedures more straightforward for administrators.
This isn’t the first instance of a backdoor account discovered in Cisco products. The company has previously had to address hardcoded credentials across various services, including its IOS XE, Wide Area Application Services (WAAS), among others. Such findings raise ongoing concerns regarding the security of Cisco products and the implications for their users.
In April, Cisco had alerted users regarding a critical vulnerability in the Cisco Smart Licensing Utility (CSLU), which exposed another built-in backdoor used in attacks. Additionally, the removal of a hardcoded JSON Web Token (JWT) was announced in May. The company continues to reinforce its commitment to addressing security issues, ensuring customer data remains protected amid heightened cyber threats.