Cisco removes SSH backdoor in Unified Communications Manager

Attackers can access Cisco Unified Communications Manager with comparatively little effort and gain full control over systems. The gap has now been closed. There are also security updates for Application Delivery Platform, Enterprise Chat and Email and Spaces Connector.

Backdoor closed

Attackers gain unauthorized access by successfully exploiting a “critical” vulnerability (CVE-2025-20309) in Unified Communications Manager and Unified Communications Manager Session Management Edition. It is classified with the highest possible CVSS score of 10 out of 10. Specifically, versions 15.0.1.13010-1 up to and including 15.0.1.13017-1 are at risk in all configurations.

Access is via a root account with static SSH credentials that cannot be changed. Remote attackers can use this to gain access without authentication. They can then execute malicious code with root rights. In such a case, instances are usually considered fully compromised. Cisco states that the account originates from development.

In a warning message, the developers list indicators of compromise (IOC), which admins can use to recognize systems that have already been attacked. Cisco assures that it has closed the account in issue 15SU3 (Jul 2025). They also provide a security patch for download. According to the network manufacturer, there are currently no indications that attackers are exploiting the vulnerability.

Further dangers

Enterprise Chat and Email is vulnerable to an XSS attack(CVE-2025-20310 “medium”). Issue 12.6(1)_ES11 is secured. There is no longer support for version 11. An upgrade to a version that is still supported is necessary here. Version 15 is not vulnerable. XSS attacks are also possible on Application Delivery Platform (CVE-2025-20307 “medium”). RI.2025.05 has a security patch.

Authenticated attackers can obtain root rights via a gap(CVE-2025-20308 “medium”) in Spaces Connector. Connector 3-Jun 2025 is equipped against this.

(des)