Cisco fixes a severe Unified CM flaw exposing systems to root access. Learn about the backdoor, risks, and urgent best practices for enterprise security.

Continue reading
Cisco has released a critical security update for its Unified Communications Manager (Unified CM, formerly CallManager), addressing a severe vulnerability that left enterprise telephony systems exposed to remote root access. The flaw, tracked as CVE-2025-20309, was caused by a hardcoded root SSH account present in several recent Engineering Special (ES) releases, allowing unauthenticated attackers to gain full control over affected systems. This vulnerability underscores the ongoing challenge of secure software development and the risks posed by overlooked backdoors in widely deployed enterprise infrastructure.
The vulnerability was discovered in Unified CM and Unified CM SME ES releases 15.0.1.13010-1 through 15.0.1.13017-1. Due to a static root credential left over from development and testing, attackers could remotely log in via SSH as root, bypassing all authentication and security controls. Once inside, an attacker could execute arbitrary commands, access sensitive data, disrupt communications, or pivot deeper into enterprise networks.
Cisco confirmed that all deployments running the affected ES releases are at risk, regardless of configuration. There are currently no workarounds—patching is mandatory to mitigate exposure.
Organizations using Cisco Unified CM or Unified CM SME in the specified versions are directly at risk. Unified CM is a core component of enterprise communication, managing VoIP, video, messaging, and conferencing for thousands of organizations worldwide. The presence of a root backdoor in such a critical system elevates the risk profile, as a compromise could lead to widespread operational disruption and data breaches.
Cisco’s internal security team identified the hardcoded account during a routine review. The company responded by releasing a patch in July 2025 (15SU3) and a targeted fix (CSCwp27755) that removes the backdoor account. Cisco has also published indicators of compromise to help administrators detect any unauthorized root access attempts, including guidance to review SSH logs for suspicious activity.
No active exploitation or public proof-of-concept code has been reported as of publication, but Cisco’s transparency and rapid response reflect the criticality of the threat.
Detection and Remediation Steps Immediate actions for administrators:
Patch immediately: Upgrade to Unified CM or Unified CM SME 15SU3 or apply the CSCwp27755 patch.
This is not the first time Cisco has addressed hardcoded credentials in its products. Similar backdoors have been discovered in IOS XE, WAAS, DNA Center, and other Cisco software over recent years, highlighting a persistent industry challenge: ensuring that development artifacts and test accounts are fully removed before release. The recurrence of such issues emphasizes the need for rigorous code audits, secure development practices, and continuous security testing.
The discovery and swift remediation of the Unified CM backdoor root account serve as a critical reminder of the importance of secure software development and proactive vulnerability management in enterprise environments.
Organizations running Cisco Unified CM must act immediately to patch affected systems, audit for compromise, and reinforce security best practices to protect their communications infrastructure from evolving threats.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.