search
Page cover

block-brick-fireCritical Cisco Secure Firewall RADIUS Vulnerability (CVE-2025-20265)

Ciscoarrow-up-right has disclosed a maximum-severity flaw (CVSS 10.0) in its Secure Firewall Management Centre (FMC) RADIUS subsystem. It allows an unauthenticated remote attacker to execute commands as root, potentially compromising the entire firewall management plane.

If your FMC uses RADIUS authentication, patch now or disable it immediately.

LogoCisco Security Advisory: Cisco Secure Firewall Management Center Software RADIUS Remote Code Execution VulnerabilityCiscochevron-right

hashtag
What Happened?

  • Vulnerability: CVE-2025-20265

  • Affected: FMC 7.0.7 and 7.7.0 with RADIUS authentication enabled for web or SSH logins

  • Discovered by: Brandon Sakaiarrow-up-right, Cisco Securityarrow-up-right Researcher

  • Severity: CVSS 10.0 (Critical)

  • Status: No known active exploitation found (yet)

  • Cisco warns:

“An attacker could exploit this vulnerability by sending crafted input when entering credentials that will be authenticated at the configured RADIUS server. A successful exploit could allow the attacker to execute commands at a high privilege level.”

hashtag
How the Attack Works

The issue comes from improper input sanitization during RADIUS authentication.

Here's the likely flow:

  1. The attacker identifies an FMC instance with RADIUS authentication enabled.

  2. They send specially crafted credentials containing malicious shell commands.

  3. FMC parses the RADIUS response without proper filtering.

  4. The injected commands execute as root on the FMC appliance.

  5. With root, the attacker can change firewall rules, disable logging and alerts, deploy backdoors for persistence, pivot deeper into the network.

hashtag
Who's at Risk?

  • Enterprises, MSPs, and government agencies with Cisco FMC deployments.

  • Any organization using RADIUS authentication for FMC management access.

  • Environments where the FMC management interface is exposed to the internet or untrusted networks.

hashtag
Mitigation

Patch immediately, Cisco has released fixed versions

LogoSupport - Cisco Support, Documentation, and DownloadsCiscochevron-right

If cannot patch immediately:

  • Disable RADIUS authentication and use local accounts, LDAP, or SAML SSO.

  • Restrict FMC management access to dedicated admin subnets or VPN-only connections.

  • Enable multi-factor authentication for all FMC logins.

  • Monitor RADIUS authentication logs for anomalies or malformed requests.

hashtag
Lab and Practice

Simulate it in a controlled environment:

  • Deploy FMC v7.0.7 in a virtual lab.

  • Configure RADIUS authentication with a test RADIUS server (e.g., FreeRADIUSarrow-up-right).

  • Send RADIUS responses with injected payloads and observe FMC's handling in logs.

  • Patch the FMC and repeat, confirms the injection no longer works.

Bonus: create a network-based detection rule to flag suspicious RADIUS packets before they reach FMC

hashtag
Conclusion

CVE-2025-20265 is a management plane nightmare, no login required, just a poisoned RADIUS handshake and your firewall brain is under hostile control. Treat this as an active risk, even without proof-of-concept code circulating yet.

  • Patch first

  • Disable vulnerable features if you can't

  • Reduce your attack surface wherever possible

Because the difference between a firewall and a doorstop is whether the attacker can reprogram it.

PreviousAmazon AWS Q Supply Chain IncidentNextAI-Powered Attacks: How Hackers are outsmarting Traditional Defences

Last updated

Was this helpful?