Cisco is warning a few important distant code execution (RCE) vulnerability within the RADIUS subsystem of its Safe Firewall Administration Middle (FMC) software program.
Cisco FCM is a administration platform for the seller’s Safe Firewall merchandise, which offers a centralized net or SSH-based interface to permit directors to configure, monitor, and replace Cisco firewalls.
RADIUS in FMC is an non-compulsory exterior authentication technique that allows connecting to a Distant Authentication Dial-In Person Service server as a substitute of native accounts.
This configuration is usually utilized in enterprise and authorities networks the place directors need centralized login management and accounting for community machine entry.
The lately disclosed vulnerability is tracked as CVE-2025-20265 and obtained the utmost severity rating of 10 out of 10.
It may be exploited to permit an unauthenticated distant attacker to ship specifically crafted enter when coming into credentials in the course of the RADIUS authentication step.
An adversary may thus obtain arbitrary shell command execution with elevated privileges.
“A vulnerability within the RADIUS subsystem implementation of Cisco Safe Firewall Administration Middle (FMC) Software program may enable an unauthenticated, distant attacker to inject arbitrary shell instructions which might be executed by the machine,” warns Cisco within the safety bulletin.
“This vulnerability is because of an absence of correct dealing with of consumer enter in the course of the authentication section,” the seller says. CVE-2025-20265 impacts FMC variations 7.0.7 and seven.7.0 when the RADIUS authentication is enabled for the web-based administration interface, SSH administration, or each.
Cisco has launched free software program updates that handle the difficulty. The repair was launched via common channels to clients with a legitimate service contract.
If the patch can’t be put in, Cisco’s really helpful mitigation is to disable RADIUS authentication and exchange it with a special technique (e.g. native consumer accounts, exterior LDAP, or SAML single sign-on).
Cisco notes that this mitigation labored in testing, however clients should confirm its applicability and the impression it has of their environments.
The vulnerability was found internally by Cisco’s safety researcher Brandon Sakai, and the seller just isn’t conscious of the vulnerability being exploited within the wild.
Together with CVE-2025-20265, Cisco additionally launched fixes for 13 high-severity flaws throughout numerous merchandise, none of them marked as actively exploited:
The seller says that there aren’t any workarounds for any of the above safety points aside from CVE-2025-20127, the place the advice is to take away the TLS 1.3 cipher.
For all different points the seller recommends putting in the newest updates out there.
46% of environments had passwords cracked, almost doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration tendencies.
