Cisco Unified Communications Manager Unintentionally Provides A Good Reason To Dump Those Desk Phones

Once Again, Hardcoded Root SSH Credentials Are ALWAYS A Bad Idea!

Companies never learn; today Cisco proves that fact once again with a fix for a security flaw which hasn’t been exploited yet but is begging to be.  Cisco Unified Communications Manager, which is used in businesses that still have Cisco phones, has a hardcoded root SSH user that was used for testing and development but which was never removed.  This is not the first time hardcoded credentials have been found in Cisco software and hardware, Bleeping Computer lists their previous sins in this post.

You can check if anyone has used this particular root user by running file get activelog syslog/secure on your Cisco Unified CM or Unified CM SME to determine if things are already too late.  You can prevent further exploration by installing Cisco Unified CM and Unified CM SME 15SU3 (July 2025) or by applying the CSCwp27755 patch file.   That sounds like great news, if you aren’t familiar with Cisco, those who do work with them will know exactly what the issue is.

In order to get those patches you need to have a current license with Cisco.  If you bought your devices from another supplier or have let your service contract expire, you can reach out to the Cisco TAC and hope they will provide the fix for the problem which they created.