A newly disclosed critical security flaw (CVE-2025-20265) has been identified in multiple versions of Cisco Secure Firewall Management Centre (FMC). It could allow an unauthenticated, remote threat actor to execute arbitrary shell commands on the underlying system. The vulnerability resides when RADIUS authentication is enabled and affects FMC versions 7.0.7 and 7.7.0.
Overview
- Vulnerability ID: CVE-2025-20265
- Description: A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Centre (FMC) Software could allow an unauthenticated, remote attacker to inject arbitrary shell commands that are executed by the device.
- CVSS v3.1 Score: 10.0 (Critical)
- Affected Product: Cisco Secure Firewall Management Centre (FMC)
- Vulnerability Type: OS Command Injection
- Exploit Status: No proof of concept (PoC) or known exploitation known yet, however Integrity360 will update this page if this changes.
Affected Versions
Cisco Secure Firewall Management Centre (FMC) Software releases:
If the above have RADIUS authentication enabled.
Monitoring & Detection
- Monitor logs for anomalous CLI activity or unusual commands executed.
- Watch for behavioural signs of compromise, despite no distinct IoCs, elevated system notifications or performance anomalies may signal compromise.
- Consider increased endpoint and network visibility until patches can be deployed.
Recommended Actions
There are Cisco patches available to upgrade the software version so it’s not vulnerable. If patching is not possible, consider using a different type of authentication than RADIUS.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.
References:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-radius-rce-TNBKf79