could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted.
yeah sure why not. CVSS 10.0 btw.
CVE-2025-20309: Cisco Unified Communications Manager Static SSH Credentials Vulnerability
Posted on 2025-07-03: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssh-m4UBdpE7