CVE-2025-20309

CWE-798Hard-coded Credentials5 documents5 sources
Severity
10.0CRITICAL
EPSS
0.2%
top 53.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco Cisco Unified Communications ManagerCisco Unified Communications Manager
Timeline
PublishedJul 2

Description

A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted. This vulnerability is due to the presence of static user credentials for the root account that are reserved for use during development. An attacker could exploit this v

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages2 packages

Patches

Patch: sec.cloudapps.cisco.com

🔴Vulnerability Details

2
GHSA
GHSA-3q7w-9xf2-2f3g: A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM S2025-07-02
CVEList
Cisco Unified Communications Manager Static SSH Credentials Vulnerability2025-07-02

📋Vendor Advisories

1
Cisco
Cisco Unified Communications Manager Static SSH Credentials Vulnerability2025-07-02
CVE-2025-20309 (CRITICAL CVSS 10) | A vulnerability in Cisco Unified Co | cvebase.io