Affected Vendors This Week:
- Cisco – 4 CVEs (1 critical, 3 medium)
- ASUS – 1 CVE (medium)
Critical Alert: Cisco Unified Communications Manager
This week brings one critical vulnerability demanding immediate attention. CVE-2025-20309 (CVSS 10.0) affects Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (SME), allowing unauthenticated, remote attackers to compromise systems. With a perfect severity score, this vulnerability poses significant risk to organizations relying on Cisco's unified communications infrastructure. If your environment runs either Unified CM or Unified CM SME, prioritize checking Cisco's security advisories for patch availability and deploy updates as soon as possible.
Additional Cisco Vulnerabilities
Three medium-severity Cisco issues were also disclosed:
- CVE-2025-20310 (CVSS 6.1) – A stored cross-site scripting (XSS) flaw in Cisco Enterprise Chat and Email (ECE) web UI allows unauthenticated attackers to target users with malicious content.
- CVE-2025-20308 (CVSS 6.0) – Cisco Spaces Connector permits authenticated, local users to escalate privileges and execute arbitrary commands as root.
- CVE-2025-20307 (CVSS 4.8) – The Cisco BroadWorks CommPilot Application Software web interface is vulnerable to authenticated XSS attacks.
ASUS Linux Kernel Issue
CVE-2025-38142 (CVSS 5.5) addresses a potential invalid memory access in the ASUS EC sensors driver. This is a Linux kernel-level fix that may affect ASUS router models using affected kernel versions. Check your ASUS device firmware for available updates.
Action Items: Review Cisco security bulletins for patches to Unified CM/SME. Verify your Cisco ECE, Spaces Connector, and CommPilot deployments. Check ASUS router firmware for kernel updates addressing CVE-2025-38142.