Article Details

Cisco's Secure Firewall Management Center now not-so secure, springs a CVSS 10 RCE hole. Switchzilla's summer of perfect 10s. Cisco has issued a patch for a maximum-severity bug in its Secure Firewall Management Center (FMC) software that could allow an unauthenticated, remote attacker to inject arbitrary shell commands on vulnerable systems. The vulnerability, tracked as CVE-2025-20265, received a critical 10.0 CVSS rating. It's caused by improper handling of user input by FMC's RADIUS authentication subsystem during the login process. Exploitation is possible only if FMC is configured to use RADIUS authentication for the web-based management interface, SSH management, or both. Cisco FMC is a centralized management platform for the vendor's network security products, including firewalls, intrusion prevention systems, URL filtering, and anti-malware tools. It's used by large enterprises, managed service providers (MSPs), government agencies, and educational institutions to manage their networks. RADIUS is an external authentication protocol used to verify users' credentials. "An attacker could exploit this vulnerability by sending crafted input when entering credentials that will be authenticated at the configured RADIUS server," Cisco warned in a Thursday security bulletin. "A successful exploit could allow the attacker to execute commands at a high privilege level." Cisco software engineer Brandon Sakai found this bug during internal security testing. As of now, Cisco isn't aware of any in-the-wild exploitation of this CVE. But it's probably just a matter of time, considering how government-backed attackers — notably those from China — like to target Cisco networking devices. So get patching. This new security hole follows a series of perfect 10 out of 10 severity bugs in Cisco products this summer.  In July, Cisco released a patch for a maximum-severity bug tracked as CVE-2025-20337 in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that could allow an unauthenticated, remote attacker to run arbitrary code on the operating system with root-level privileges.  Cisco disclosed CVE-2025-20337 in an update to a June security advisory about two other max-severity flaws in the same products. Tracked as CVE-2025-20281 and CVE-2025-20282, these also received perfect 10s and affect ISE and ISE-PIC, allowing attackers to execute code on the underlying OS as root.