Article Details

Cisco Warns of CVSS 10.0 FMC RADIUS Flaw Allowing Remote Code Execution. Cisco has released security updates to address a maximum-severity security flaw in Secure Firewall Management Center (FMC) Software that could allow an attacker to execute arbitrary code on affected systems. The vulnerability, assigned the CVE identifier CVE-2025-20265 (CVSS score: 10.0), affects the RADIUS subsystem implementation that could permit an unauthenticated, remote attacker to inject arbitrary shell commands that are executed by the device. The networking equipment major said the issue stems from a lack of proper handling of user input during the authentication phase, as a result of which an attacker could send specially crafted input when entering credentials that get authenticated at the configured RADIUS server. "A successful exploit could allow the attacker to execute commands at a high privilege level," the company said in a Thursday advisory. "For this vulnerability to be exploited, Cisco Secure FMC Software must be configured for RADIUS authentication for the web-based management interface, SSH management, or both." The shortcoming impacts Cisco Secure FMC Software releases 7.0.7 and 7.7.0 if they have RADIUS authentication enabled. There are no workarounds other than applying the patches provided by the company. Brandon Sakai of Cisco has been credited with discovering the issue during internal security testing. Besides CVE-2025-20265, Cisco has also resolved a number of high-severity bugs - While none of the flaws have come under active exploitation in the wild, with network appliances repeatedly getting caught in the attackers' crosshairs, it's essential that users move quickly to update their instances to the latest version.