CVE-2025-20265: Critical RCE Flaw in Cisco FMC – Patch Now!

Cisco disclosed a critical vulnerability in the RADIUS subsystem of Cisco Secure Firewall Management Center (FMC) software. The vulnerability allows an unauthenticated remote attacker to execute arbitrary shell commands on affected systems.

Severity Level: Critical

Vulnerability Details

• CVE ID: CVE-2025-20265
• CVSS Score: 10.0
• CWE: CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component)
• Attack Vector: Remote, unauthenticated
• Impact: Remote Code Execution with elevated privileges
• The vulnerability stems from improper handling of user input during the RADIUS authentication phase in Cisco FMC. When FMC is configured to use RADIUS for web or SSH management authentication, crafted inputs can be passed to the system, allowing command injection.
• Specifically, the system fails to sanitize inputs that are processed during credential validation, leading to shell command injection.
• Affected Products: Cisco Secure FMC Software releases 7.0.7 and 7.7.0 if they have RADIUS authentication enabled.

Exploitation Of The Vulnerability

To exploit this vulnerability:

• The attacker does not need prior authentication.
• The target FMC system must have RADIUS authentication enabled.
• The attacker can send specially crafted credentials to the authentication interface (web or SSH).
• Upon successful injection, the attacker gains arbitrary command execution with high privileges on the device.

There are no known instances of active exploitation in the wild as of the publication date.

Recommendations

1. Cisco has released free software updates that resolve this issue. Customers with valid support contracts can obtain updates through Cisco’s official channels.
   Use the Cisco Software Checker Tool to:
   • Confirm your current exposure
   • Identify the first fixed release
   • Plan an upgrade path
2. There are no official workarounds that fix the vulnerability. However, mitigation is possible by:
   a. Disabling RADIUS authentication
   b. Switching to other authentication methods, such as:
   • Local user accounts
   • External LDAP authentication
   • SAML single sign-on (SSO)

Cisco advises testing alternative methods before deploying them in production environments, as functionality may vary depending on configuration.

Source:

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-radius-rce-TNBKf79

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.