Cisco FMC CVE-2025-20265 Critical RCE Patch Released
Cisco has patched CVE-2025-20265, a critical RCE flaw in Secure Firewall Management Center (CVSS 10.0). Learn who’s affected and how to protect your network now.
Introduction / TL;DR Executive Summary
Overview of the Vulnerability
CVE-2025-20265 exists in the RADIUS authentication component of Cisco Secure FMC. The flaw arises from improper input sanitization, which allows attackers to inject shell commands through specially crafted RADIUS credentials. Exploitation could lead to complete system compromise with full administrative privileges.
- CVE ID: CVE-2025-20265
- CWE: CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component)
- CVSS Score: 10.0 (Critical)
- Attack Vector: Network
- Privileges Required: None
- User Interaction: None
- Impact: Complete confidentiality, integrity, and availability compromise
Cisco discovered the issue internally and released fixed software on August 14, 2025. The company has confirmed that no public exploits or active attacks have been detected as of this writing.
Affected Systems
Only Cisco Secure FMC systems configured to use RADIUS authentication for admin logins are affected. Versions confirmed as vulnerable include:
- FMC 7.0.7
- FMC 7.7.0
Products not affected:
- Cisco Secure Firewall Threat Defense (FTD)
- Cisco Adaptive Security Appliance (ASA)
If your FMC uses local, LDAP, or SAML authentication instead of RADIUS, it is not exposed to this vulnerability.
Exploitation Details
Attackers can exploit this flaw remotely by sending malicious login credentials to an FMC device with RADIUS enabled. The vulnerability requires no authentication and can be triggered before credential validation occurs. This means any FMC management interface reachable over HTTPS or SSH could be exploited.
While no in-the-wild exploits have been observed, the simplicity and severity of this issue make exploitation likely if systems remain unpatched. Attackers could gain full system access, deploy malicious firewall rules, extract configurations, or pivot deeper into network infrastructure.
Detection Guidance
To determine exposure:
- Check FMC Authentication Configuration:
Navigate to System > Users > External Authentication and confirm if RADIUS is enabled.
If RADIUS is not in use, your system is not currently vulnerable. - Vulnerability Scanning:
- Log Review:
Inspect RADIUS authentication logs for failed login attempts with strange characters or command-like syntax. Unexpected access attempts may indicate probing or exploitation attempts.
Remediation Guidance
Cisco strongly advises upgrading to fixed releases immediately.
- FMC 7.0.7 → Update to 7.0.8 or later
- FMC 7.7.0 → Update to 7.7.1 or later
If patching is not immediately possible:
- Disable RADIUS authentication and use local or LDAP/SAML logins temporarily.
- Restrict FMC management interface access to trusted networks only.
- Review and remove stored RADIUS configurations to prevent fallback exposure.
Cisco’s Software Checker can help confirm affected versions and recommended upgrade paths.
Recommendations for Security Teams
- Prioritize patching as a critical emergency update.
- Disable RADIUS if patching cannot occur immediately.
- Segment management networks and prevent external access to FMC interfaces.
- Monitor logs for abnormal authentication attempts or configuration changes.
- Harden configuration management systems, treating them as high-value targets.
- Regularly subscribe to Cisco PSIRT alerts to stay ahead of new advisories.
Timeline of Events
- 2025-08-14: Cisco discloses CVE-2025-20265; patches released.
- 2025-08-15: Media and vendors (e.g., BleepingComputer, Arctic Wolf) publish analyses.
- 2025-08-18: Scanners from Qualys and Tenable add detection.
- 2025-10-10: No known active exploitation reported; patch adoption ongoing.
Conclusion
CVE-2025-20265 highlights the critical exposure that optional integrations like RADIUS can introduce in management systems. The flaw’s unauthenticated nature and maximum severity demand immediate action. Apply Cisco’s updates now or disable RADIUS until you can. Restricting FMC access and maintaining rigorous patch management are key to protecting the security backbone of your network.
