THREAT SUMMARY

Cisco has disclosed a critical vulnerability in its Secure Firewall Management Center (FMC) software. Tracked as CVE-2025-20265 and assigned the maximum CVSS score of 10.0, this flaw allows unauthenticated remote attackers to execute arbitrary commands with root privileges. The issue originates from the RADIUS authentication subsystem of FMC. When RADIUS is enabled for the web management or SSH interface, crafted inputs during authentication are not properly sanitized. As a result, attackers can inject malicious shell commands which are executed on the underlying operating system. This vulnerability affects only Cisco FMC versions 7.0.7 and 7.7.0 but given FMC’s role as the central control plane for firewall and intrusion prevention policies, exploitation could have devastating consequences. Cisco stresses there are no workarounds beyond patching, though disabling RADIUS authentication may serve as a temporary mitigation.

THREAT IMPACT

• Full system compromise of FMC with root-level access

Key Points:

• Attackers do not require valid credentials.
• FMC’s central role means compromise could cascade into network-wide policy manipulation.
• Exploitation results in pre-authentication remote root access.
• No known exploitation in the wild yet, but Cisco devices are frequent targets for immediate patching is strongly advised.

TECHNICAL DETAILS

Cisco Secure Firewall Management Center (FMC) provides a single point of control for Cisco firewalls, intrusion prevention, URL filtering, and advanced threat services. Many organizations integrate FMC with external RADIUS servers to centralize authentication for administrators. In FMC releases 7.0.7 and 7.7.0, the RADIUS authentication subsystem improperly handles user-supplied input. During login, credentials passed to the RADIUS server are not sanitized. Attackers can exploit this weakness by sending specially crafted username/password fields containing shell commands.Because FMC fails to validate the input properly, those commands are executed on the underlying system as root. This creates a remote code execution condition with no need for prior authentication.

TECHNICAL CHARACTERISTICS:

• Affected Component: RADIUS login handler in FMC software.
• Root Cause: Improper input validation and unsafe handling of authentication responses.
• Exploitability: High — requires only network access to FMC login interface.
• Privileges Required: None (pre-authentication).
• User Interaction: None.

This is effectively a command injection vulnerability at the heart of FMC’s login mechanism, providing attackers with “push-button” full compromise.

AFFECTED PRODUCTS AND VERSIONS

• Cisco Secure Firewall Management Center (FMC) 7.0.7 (any build) with RADIUS authentication enabled
• Cisco Secure Firewall Management Center (FMC) 7.7.0 (any build) with RADIUS

Other versions of FMC are not affected. If RADIUS authentication is not enabled, this vulnerability cannot be exploited.

RISK ASSESSMENT

Exploitation of CVE-2025-20265 would allow attackers to:

• Gain root-level access to the FMC appliance.
• Modify or delete firewall and IPS policies across an enterprise.
• Disable key security services, leaving networks unprotected.
• Exfiltrate sensitive logs and configurations.
• Launch further attacks using compromised FMC as a pivot.

Because FMC is often publicly accessible to administrators, the attack surface is broad. The fact that no authentication is needed makes this flaw especially dangerous. Cisco confirms no exploitation has been seen in the wild to date. However, given the high value of network appliances to both advanced persistent threats (APTs) and financially motivated attackers, this is expected to become a priority target.

MITIGATION AND REMEDIATION

Cisco provides no permanent workaround other than applying vendor patches.

Recommended Actions:

• Apply Cisco Patches Immediately
  • • Update FMC 7.0.7 and 7.7.0 to the patched builds released August 2025.
    • Updates are available through Cisco Software Download for customers with valid support contracts.
• Disable RADIUS Temporarilyo If patching cannot be performed immediately, disable RADIUS authentication on FMC.
  • • Switch to local user accounts, LDAP, or SAML SSO until updates are applied.
    • Cisco has validated that disabling RADIUS prevents exploitation.
• Validate Configuration
  • • After updating or disabling RADIUS, confirm FMC is functioning as expected.
    • Review logs for unusual login attempts or command execution activity.
• Network Hardening
  • • Restrict FMC management interfaces to trusted networks.
    • Implement multi-factor authentication (MFA) where possible.
    • Monitor for suspicious authentication failures and anomalies.

Additional Cisco Vulnerabilities

Cisco also patched multiple high-severity DoS and injection flaws across ASA, FTD, and FMC in this update. Key examples include:

• CVE-2025-20217 (CVSS 8.6): Snort 3 DoS in FTD.
• CVE-2025-20222 (CVSS 8.6): IPv6-over-IPsec DoS (ASA/FTD).
• CVE-2025-20224/2025-20225/2025-20239 (CVSS 8.6): IKEv2 DoS in IOS/ASA/FTD.
• CVE-2025-20133 & CVE-2025-20243 (CVSS 8.6): SSL VPN DoS (ASA/FTD).
• CVE-2025-20148 (CVSS 8.5): HTML injection in FMC.
• CVE-2025-20251 (CVSS 8.5): VPN Web Server DoS (ASA/FTD).

While none of these are under active exploitation, patching is highly recommended to prevent service disruption.

CONCLUSION

CVE-2025-20265 is among the most severe vulnerabilities disclosed in Cisco products in recent years. With a CVSS score of 10.0, pre authentication exploitability, and the potential for network-wide impact, this flaw demands immediate action.

Organizations using Cisco Secure FMC with RADIUS authentication should:

• Prioritize patching to Cisco’s fixed builds
• Disable RADIUS temporarily if updates cannot be applied
• Limit FMC exposure to reduce attack surface

By following Cisco’s guidance and implementing the above mitigations, administrators can protect critical firewall infrastructure against compromise.