Cisco on Wednesday introduced patches for a crucial vulnerability in its Unified CM and Unified CM SME communication administration software program that might enable attackers to log in as the basis account.
The problem, tracked as CVE-2025-20309 (CVSS rating of 10/10), exists as a result of the enterprise administration instruments include default, static credentials that may not be eliminated or modified.
“This vulnerability is as a result of presence of static person credentials for the basis account which can be reserved to be used throughout improvement,” Cisco explains in its advisory.
An attacker may use the account to log in to a weak system and execute arbitrary instructions with root privileges, the tech large warns.
Unified CM and Unified CM SME Engineering Particular (ES) variations 15.0.1.13010-1 via 15.0.1.13017-1 are affected, whatever the system’s configuration.
Cisco has launched a path file that addresses the problem and can embrace the repair in Unified CM and Unified CM SME launch 15SU3, which is predicted to roll out this month.
In keeping with the corporate, profitable exploitation of the bug ought to present a log entry for the basis person in var/log/lively/syslog/safe. Organizations ought to retrieve the logs to hunt for potential compromise. Nevertheless, Cisco says it isn’t conscious of this vulnerability being exploited within the wild.
On Wednesday, the tech large additionally introduced patches for 3 medium-severity vulnerabilities affecting Areas Connector, Enterprise Chat and Electronic mail (ECE), and BroadWorks Software Supply Platform, which may result in privilege escalation and XSS assaults.Commercial. Scroll to proceed studying.
Cisco says it has not seen these safety defects being exploited in assaults both. Further data could be discovered on Cisco’s safety advisories web page.
