Hardcoded Horror: Cisco Leaves Enterprise Doors Wide Open (Again)

Cisco has patched a critical vulnerability in its Unified CM and Unified CM SME software caused by hardcoded SSH credentials that let attackers log in as root.

Tracked as CVE-2025-20309 with a flawless 10/10 CVSS score, the flaw stems from static credentials embedded for development that were never meant to stay—but did.

The bug impacts Engineering Special versions 15.0.1.13010-1 through 15.0.1.13017-1, regardless of system configuration, and could allow full command execution with root privileges.

Cisco released a patch and plans to include the fix in the Unified CM 15SU3 update expected later this July.

Organizations are urged to check system logs for root access attempts in /var/log/active/syslog/secure to detect potential breaches.

The company claims no known exploitation in the wild, so for now, it’s only a ticking time bomb.

Three additional medium-severity flaws were also patched in Cisco Spaces Connector, ECE, and BroadWorks, covering privilege escalation and XSS vulnerabilities.

Cisco says none of these issues have been exploited—yet—but encourages users to update before attackers get any bright ideas.