Pre-Authentication Remote Code Execution in Cisco FMC via RADIUS (CVE-2025-20265)
August 21st, 2025
Critical
Our Cyber Threat Intelligence Unit has identified a critical vulnerability (CVSS score: 10.0) in the RADIUS authentication subsystem of Cisco Secure Firewall Management Center (FMC) software, identified as CVE-2025-20265. The vulnerability allows an unauthenticated, remote attacker to inject arbitrary shell commands during the authentication phase by sending malicious input through configured RADIUS authentication via the web interface or SSH.
Cisco confirmed the issue affects FMC versions 7.0.7 and 7.7.0, but the vulnerability only applies if RADIUS authentication is enabled for admin access. The flaw was discovered via internal testing, and no active exploitation is known at this time. Cisco has released patches to address it, and currently there are no workarounds beyond installing the update.
Technical Details
Attack Type: Remote Code Execution
Severity: Critical (CVSS 10.0)
Delivery Method: Malicious input sent via RADIUS authentication.
Technique: improper input validation in the RADIUS authentication subsystem
CVE ID: CVE-2025-20265
Affected Products: Cisco Secure FMC 7.0.7 and 7.7.0
Requirement: RADIUS must be enabled for administrative access (web or SSH interface)
CVE-2025-20265 is a command injection vulnerability tied to insufficient sanitization of input received during RADIUS-based authentication in Cisco FMC. Attackers can send specially crafted authentication requests containing malicious inputs that, when passed to the FMC, trigger execution of injected shell commands with elevated privileges.
Impact
An unauthenticated attacker could execute arbitrary commands on the affected system.
Successful exploitation would allow full compromise of the underlying operating system of Cisco FMC.
FMC is the central management point, compromise may enable attackers to disable firewall defences or pivot to other systems.
The flaw is rated at the highest severity, CVSS 10.0, reflecting the critical nature of the risk.
Deployment of persistent backdoors and malware on FMC or downstream devices.
Disruption of security monitoring and enforcement, creating blind spots for further attacks.
Potential lateral movement into broader enterprise networks through compromised FMC.
Detection Method
Organizations can assess their exposure to this vulnerability by:
Verifying FMC software version; systems running 7.0.7 or 7.7.0 are affected
Checking whether RADIUS authentication is enabled for web-based UI or SSH access
Reviewing login/authentication logs for abnormal credential inputs or malformed RADIUS requests
Monitoring system logs for suspicious execution activity associated with authentication routines
Using Cisco advisories to cross-check against environment configurations and validate patch status
Indicators of Compromise
There are no Indicators of Compromise (IOCs) for this Advisory.
Recommendations
Immediately upgrade Cisco Secure Firewall Management Center (FMC) to the fixed software versions provided by Cisco to fully remediate the vulnerability.
Disable RADIUS authentication on FMC if patching cannot be performed right away, and use an alternative supported method such as local accounts, LDAP, or SAML SSO.
Restrict network access to FMC management interfaces so they are only reachable from trusted administrative networks.
Continuously monitor authentication and system logs for suspicious or malformed RADIUS requests, failed login attempts, or unexpected command execution activity.
Conduct vulnerability scans and internal audits to confirm no unpatched or misconfigured FMC instances remain in the environment and apply defense-in-depth strategies.
Conclusion
CVE-2025-20265 is a critical remote command injection vulnerability in Cisco Secure FMC, enabling unauthenticated attackers to execute shell commands with elevated privileges. Given FMC’s central role in firewall policy enforcement, exploitation could cause severe operational disruption and security compromise. Immediate patching is mandatory alternatives like disabling RADIUS should be used only as a stopgap. Enterprises must audit their FMC configurations, enforce access controls, and monitor for suspicious authentication behaviour to prevent exploitation.
Organizations using affected FMC versions must patch without delay or, if immediate patching is not possible, disable RADIUS authentication and use alternate methods until secure updates are applied. Failure to remediate this issue could lead to complete loss of administrative control, weakened firewall protections, and broad exposure of enterprise networks to attackers. This vulnerability should be treated with maximum urgency, and both patching and compensating controls should be implemented immediately to safeguard critical firewall management infrastructure.