🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More

Cisco Unified Communications Manager CVSS 10 Vulnerability: 1K+ Assets Exposed to the Internet

A critical flaw (CVE-2025-20309, CVSS 10.0) in Cisco Unified Communications Manager lets attackers gain root access via hard-coded credentials in versions 15.0.1.13010-1 to 13017-1. Over 1,000 internet-exposed assets are at risk globally, especially in the US and Asia. Likely targets include VoIP and government networks. Immediate patching, access restrictions, and log monitoring are strongly advised to prevent system compromise.

CloudSEK TRIAD
July 4, 2025
Green Alert
Last Update posted on
July 4, 2025
Table of Contents
Author(s)
No items found.

Executive Summary

Cisco has released urgent security updates to fix a critical vulnerability (CVE-2025-20309, CVSS 10.0) in Unified Communications Manager (Unified CM) and its Session Management Edition. This flaw allows attackers to gain root access via hard-coded credentials present in affected versions 15.0.1.13010-1 through 15.0.1.13017-1, regardless of device configuration. Over a thousand exposed devices exist worldwide, primarily in the US, Thailand, Korea, Russia, and Europe; some of them pertaining to organizations in highly critical sectors. Notable threat actors like APT28, APT41, MuddyWater, and access brokers are likely to exploit this flaw to compromise networks, intercept VoIP traffic, or deploy ransomware. Although no public exploitation is confirmed yet, the probability is very high. Immediate patching, restricting management access, vigilant log monitoring for root SSH logins, and network segmentation are critical mitigations to prevent full system compromise and potential lateral movement within affected environments.

Analysis and Attribution

Cisco has issued security updates to address a critical vulnerability (CVE-2025-20309) in its Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (Unified CM SME). This flaw, with a CVSS score of 10.0, allows an attacker to gain root access and elevated privileges on affected devices. The vulnerability impacts Unified CM and Unified CM SME versions 15.0.1.13010-1 through 15.0.1.13017-1, regardless of device configuration.

Source: Cisco Advisory

This comes after Cisco patched two security vulnerabilities (CVE-2025-20281 and CVE-2025-20282) within its Identity Services Engine and ISE Passive Identity Connector, which previously allowed unauthenticated attackers to execute arbitrary commands with root privileges.

Based on FOFA search results, we can see that there are over a thousand assets exposed to the internet that are running Cisco Unified Communications Manager.

The majority of the assets are in the United States, followed by Thailand, Korea, Russia, Czechia, Japan, Mali and Lithuania. 

Threat Actors In Focus

The following actors may take an interest in weaponizing this initial access vector based on their history:

1. APT28 (Fancy Bear, Russia):
  • Known to exploit network infrastructure vulnerabilities (Cisco, Fortinet, etc.).
  • Has previously used VPN/VoIP attack vectors during lateral movement.
  • Prior targeting of Cisco ASA and VOIP/UC infrastructure in military and government networks.
2. APT41 (China):
  • Highly skilled in post-exploitation and weaponizing misconfigurations or hardcoded credential flaws.
  • History of supply chain and telecommunication targeting.
  • Leveraged exposed services and weak admin credentials during campaigns in Asia and the Middle East.
3. MuddyWater (Iran):
  • Known to exploit authentication bypasses and RCE in network gear.
  • Targeted telco and government infrastructure in UAE, Turkey, and Israel.
  • Uses tools like Ligolo and Chisel after gaining root access — these work well on Linux appliances like Unified CM.
4. UNC groups and Access Brokers:
  • Access brokers often scan for RCE or credential-based flaws (like this one) and sell root access to ransomware operators.
  • Cisco Unified CM appliances could be found using Shodan/Censys if misconfigured.
  • The logs from successful exploitation might also be sold on dark web forums.

How Probable Is Exploitation?

Very high, if:

  • The hard-coded credentials become known (e.g., leaked, reverse-engineered, brute-forced).
  • The systems are exposed externally (e.g., via misconfigured firewalls or VPN).
  • Organizations delay patching.

According to Cisco, there hasn’t been any public exploitation yet. However, CloudSEK ascertains with high confidence that threat actors with considerable resources may attempt to create a working proof-of-concept for exploiting this vulnerability.

Impact

  • Pivot into the internal network.
  • Command execution as root (full system compromise), leading to data exfiltration and/or ransomware.
  • Intercept or manipulate VoIP traffic, such as:
    • Eavesdropping on sensitive conversations.
    • Man-in-the-middle (MITM) of SIP or RTP streams.
  • Disrupt call flows or impersonate internal users.
  • Extract call logs or voicemail data.

Mitigations

  • Apply Cisco Security Updates Immediately: Patch all affected Unified CM and Unified CM SME systems to eliminate the hard-coded root credentials vulnerability.
  • Restrict Access to Management Interfaces: Limit network access to Unified CM admin interfaces using strict firewall rules and VPNs to prevent unauthorized login attempts.
  • Monitor for Indicators of Compromise: Regularly check system logs (/var/log/active/syslog/secure) for unexpected root login entries and investigate anomalies promptly. If a log entry both includes sshd and shows a successful SSH login by the user root, initiate incident response immediately.
  • Conduct Network Segmentation and Incident Response: Isolate vulnerable or critical VoIP infrastructure from general network segments and prepare incident response plans for potential exploitation scenarios.
  • Analyze Attack Surface: Map your digital asset footprint with solutions like BeVigil and gain visibility into your hidden attack surface. 

Author

CloudSEK TRIAD

CloudSEK Threat Research and Information Analytics Division

Predict Cyber threats against your organization

Related Posts
No items found.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Table of Content

Executive Summary

Cisco has released urgent security updates to fix a critical vulnerability (CVE-2025-20309, CVSS 10.0) in Unified Communications Manager (Unified CM) and its Session Management Edition. This flaw allows attackers to gain root access via hard-coded credentials present in affected versions 15.0.1.13010-1 through 15.0.1.13017-1, regardless of device configuration. Over a thousand exposed devices exist worldwide, primarily in the US, Thailand, Korea, Russia, and Europe; some of them pertaining to organizations in highly critical sectors. Notable threat actors like APT28, APT41, MuddyWater, and access brokers are likely to exploit this flaw to compromise networks, intercept VoIP traffic, or deploy ransomware. Although no public exploitation is confirmed yet, the probability is very high. Immediate patching, restricting management access, vigilant log monitoring for root SSH logins, and network segmentation are critical mitigations to prevent full system compromise and potential lateral movement within affected environments.

Analysis and Attribution

Cisco has issued security updates to address a critical vulnerability (CVE-2025-20309) in its Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (Unified CM SME). This flaw, with a CVSS score of 10.0, allows an attacker to gain root access and elevated privileges on affected devices. The vulnerability impacts Unified CM and Unified CM SME versions 15.0.1.13010-1 through 15.0.1.13017-1, regardless of device configuration.

Source: Cisco Advisory

This comes after Cisco patched two security vulnerabilities (CVE-2025-20281 and CVE-2025-20282) within its Identity Services Engine and ISE Passive Identity Connector, which previously allowed unauthenticated attackers to execute arbitrary commands with root privileges.

Based on FOFA search results, we can see that there are over a thousand assets exposed to the internet that are running Cisco Unified Communications Manager.

The majority of the assets are in the United States, followed by Thailand, Korea, Russia, Czechia, Japan, Mali and Lithuania. 

Threat Actors In Focus

The following actors may take an interest in weaponizing this initial access vector based on their history:

1. APT28 (Fancy Bear, Russia):
  • Known to exploit network infrastructure vulnerabilities (Cisco, Fortinet, etc.).
  • Has previously used VPN/VoIP attack vectors during lateral movement.
  • Prior targeting of Cisco ASA and VOIP/UC infrastructure in military and government networks.
2. APT41 (China):
  • Highly skilled in post-exploitation and weaponizing misconfigurations or hardcoded credential flaws.
  • History of supply chain and telecommunication targeting.
  • Leveraged exposed services and weak admin credentials during campaigns in Asia and the Middle East.
3. MuddyWater (Iran):
  • Known to exploit authentication bypasses and RCE in network gear.
  • Targeted telco and government infrastructure in UAE, Turkey, and Israel.
  • Uses tools like Ligolo and Chisel after gaining root access — these work well on Linux appliances like Unified CM.
4. UNC groups and Access Brokers:
  • Access brokers often scan for RCE or credential-based flaws (like this one) and sell root access to ransomware operators.
  • Cisco Unified CM appliances could be found using Shodan/Censys if misconfigured.
  • The logs from successful exploitation might also be sold on dark web forums.

How Probable Is Exploitation?

Very high, if:

  • The hard-coded credentials become known (e.g., leaked, reverse-engineered, brute-forced).
  • The systems are exposed externally (e.g., via misconfigured firewalls or VPN).
  • Organizations delay patching.

According to Cisco, there hasn’t been any public exploitation yet. However, CloudSEK ascertains with high confidence that threat actors with considerable resources may attempt to create a working proof-of-concept for exploiting this vulnerability.

Impact

  • Pivot into the internal network.
  • Command execution as root (full system compromise), leading to data exfiltration and/or ransomware.
  • Intercept or manipulate VoIP traffic, such as:
    • Eavesdropping on sensitive conversations.
    • Man-in-the-middle (MITM) of SIP or RTP streams.
  • Disrupt call flows or impersonate internal users.
  • Extract call logs or voicemail data.

Mitigations

  • Apply Cisco Security Updates Immediately: Patch all affected Unified CM and Unified CM SME systems to eliminate the hard-coded root credentials vulnerability.
  • Restrict Access to Management Interfaces: Limit network access to Unified CM admin interfaces using strict firewall rules and VPNs to prevent unauthorized login attempts.
  • Monitor for Indicators of Compromise: Regularly check system logs (/var/log/active/syslog/secure) for unexpected root login entries and investigate anomalies promptly. If a log entry both includes sshd and shows a successful SSH login by the user root, initiate incident response immediately.
  • Conduct Network Segmentation and Incident Response: Isolate vulnerable or critical VoIP infrastructure from general network segments and prepare incident response plans for potential exploitation scenarios.
  • Analyze Attack Surface: Map your digital asset footprint with solutions like BeVigil and gain visibility into your hidden attack surface. 

Related Blogs