Urgent Cisco ISE/ISE-PIC Alert: Critical RCE Flaw (CVSS 10.0) Allow Unauthenticated Root Access

by ·

Cisco has remedied a critical vulnerability in its Unified Communications Manager (Unified CM), the enterprise telephony management system, which could have granted attackers complete control over affected devices due to a hardcoded superuser account embedded within the platform.

Formerly known as Cisco CallManager, Unified CM is a cornerstone of Cisco’s IP telephony suite, enabling call routing, device management, and other communication functions across large-scale organizations. The recently disclosed flaw—tracked as CVE-2025-20309—received the maximum CVSS severity rating of 10.0, stemming from the presence of static root credentials inadvertently left behind during development testing.

According to Cisco’s advisory, the vulnerability impacts versions of Unified CM and Unified CM SME Engineering Special (ES) from 15.0.1.13010-1 through 15.0.1.13017-1, regardless of individual device configurations. The company has not offered any temporary mitigations. The sole protective measure is upgrading to Cisco Unified CM and Unified CM SME version 15SU3, slated for release in July 2025, or applying the specific hotfix CSCwp27755, which is already available for download.

Cisco experts clarified that the flaw permits an unauthenticated remote attacker to access the affected system by leveraging the hardcoded root account—secured with preset, immutable, and undeletable credentials. Successful exploitation allows the execution of arbitrary commands with root privileges, effectively handing full control of the system to the intruder.

Although Cisco’s Product Security Incident Response Team (PSIRT) has found no evidence of in-the-wild exploitation or publicly available proof-of-concept code at this time, the company has published a set of Indicators of Compromise (IOCs). These IOCs can assist administrators in determining whether their systems have been targeted.

For instance, exploitation of the flaw results in a root login event recorded in the system security log located at /var/log/active/syslog/secure. Since this logging is enabled by default, administrators can inspect their systems by executing the following console command:
file get activelog syslog/secure.

This is not the first instance of hardcoded credentials being discovered in Cisco’s products. Over the years, similar vulnerabilities have been patched in platforms such as IOS XE, the Wide Area Application Services (WAAS) optimization suite, the DNA Center digital infrastructure platform, and the Emergency Responder system.

In the spring of 2025, Cisco urged immediate updates to the Smart Licensing Utility (CSLU) after the discovery of an embedded admin account that had been actively exploited. A month later, another vulnerability involving a hardcoded JSON Web Token (JWT) was addressed—an issue that had allowed remote attackers to seize control of IOS XE devices.

Tags: