Cisco FMC CVE-2025-20265: Pre-Auth RADIUS RCE Patch for Secure Firewall Management

Cisco has pushed an urgent patch for a maximum‑severity remote code execution flaw in its Secure Firewall Management Center (FMC) software that allows an unauthenticated attacker to inject and execute arbitrary shell commands on affected appliances when RADIUS authentication is enabled for management interfaces.

Background​

Cisco Secure Firewall Management Center (FMC) is the central management platform for Cisco's next‑generation firewall family, intrusion prevention, URL filtering and anti‑malware services. It aggregates device telemetry, policy configuration, event correlation and administration across large networks, making it a high‑value target for attackers who want persistent, high‑privilege access to enterprise security infrastructure.
The newly disclosed vulnerability—tracked as CVE‑2025‑20265 and assigned a CVSS base score of 10.0—was disclosed in an official Cisco security advisory and fixed with software updates. The flaw is rooted in improper handling of user input by FMC’s RADIUS authentication subsystem during the login process. Because the vulnerability affects the authentication handling layer, the impact is severe: unauthenticated remote attackers may be able to execute arbitrary shell commands that run with elevated privileges on the appliance.
Two key facts shape the risk model for this bug:

• The vulnerability requires FMC to be configured to use RADIUS authentication for the web‑based management interface, SSH management, or both.
• Only certain FMC versions are affected; devices not using RADIUS for management authentication are not directly vulnerable to this specific bug.

This advisory arrived amid a cluster of high‑severity, high‑impact Cisco advisories this summer, raising urgency for organizations that run Cisco's security management stack.

---

What the vulnerability is and how it works​

The root cause in plain terms​

At its core, CVE‑2025‑20265 is a command‑injection flaw that occurs in FMC’s RADIUS path during authentication. The RADIUS subsystem accepted crafted user input during the authentication flow without sufficient validation or sanitization, enabling specially formed credentials or attributes to be interpreted as shell content or commands on the FMC host.
Because the flaw exists in an input path that ties directly into system‑level processing, successful exploitation can lead to execution of arbitrary commands at a high privilege level—effectively giving an attacker control over the appliance.

Preconditions and attack surface​

This vulnerability is not an everywhere‑on remote code execution for all FMC deployments. The specific preconditions are:

• FMC must be running a vulnerable release (see the “Affected versions” section below).
• The appliance must be configured to use RADIUS authentication for at least one management channel: the web UI and/or SSH.
• The attacker must be able to reach the management interface or the authentication path over the network (i.e., management interface is exposed or reachable from an attacker‑controlled host).

If those preconditions are met, an unauthenticated attacker can submit crafted authentication inputs that will be processed by the RADIUS endpoint and, due to improper input handling, end up being executed on the underlying OS.

Why this is so dangerous​

• The vulnerability is pre‑authentication—the attacker needs no valid account on the FMC to trigger it.
• Command injection at the OS level can allow installation of backdoors, tampering with logs, disabling or altering security policies, and lateral movement into managed devices.
• FMC controls multiple downstream devices; compromising it may produce broad, persistent network control beyond a single appliance.

---

Affected versions and scope​

• The flaw specifically affects Cisco Secure Firewall Management Center Software releases that Cisco identified as vulnerable when RADIUS authentication is enabled.
• Cisco’s advisory lists the affected FMC releases; administrators must consult their exact FMC build numbers to determine exposure.
• Cisco confirmed that Secure Firewall ASA and Secure FTD software are not affected by this particular RADIUS implementation issue.

Because product build numbers and fixed releases are precise and frequently updated, enterprises should verify their FMC version strings against the vendor’s fixed‑release list before taking actions that could disrupt operations.

---

Vendor response and timeline​

• Cisco published a security advisory describing the vulnerability, the affected products, and fixed releases.
• Cisco assigned the vulnerability a CVSSv3 base score of 10.0, and the advisory indicates that fixed software updates are available through standard upgrade channels for customers with applicable support contracts.
• Cisco PSIRT reported the issue was discovered internally during security testing and indicated no evidence of public exploitation at the time of disclosure.
• Cisco also stated there were no workarounds that fully address the vulnerability, but recommended disabling RADIUS authentication for management as a mitigation — when operationally feasible — and to replace it with other authentication mechanisms (local accounts, LDAP, SAML SSO, etc.) until the patch can be applied.

---

Exploitability, detection and signs of compromise​

Exploitability​

• Exploitation is realistic and can be performed remotely if the attacker can reach a management endpoint where RADIUS is used.
• Because the input point is an authentication field, exploit payloads can be submitted as normal login attempts, making them blend with routine authentication traffic unless specifically monitored.

What to look for in detection and hunting​

Security teams should treat FMC appliances as high‑value assets in detection plans. Key signals that may indicate attempted or successful exploitation include:

• Unusual or malformed RADIUS authentication attempts from unexpected sources, especially patterns that include shell metacharacters or long strings in username/password fields.
• Unexpected processes or shells spawned by the FMC management process on the appliance; abnormal child processes are a red flag.
• Sudden changes to configuration, policy, or events that indicate manipulation by an internal process or script.
• Integrity failures for FMC binaries, missing log entries, or log rotation anomalies consistent with an attacker modifying or deleting forensic evidence.

Suggested log sources and artifacts for hunting:

• FMC system and audit logs (administrative actions, policy pushes).
• Local OS process accounting (where available) and sysloging of management events.
• RADIUS server logs (to see the exact attributes and payloads supplied during authentication attempts).
• Network capture of management traffic to and from FMC during and around suspicious authentication attempts.

Note: appliance logging capabilities vary by FMC version. If forensic data is missing, prioritize network‑level telemetry and downstream device telemetry for signs of suspicious management commands or policy changes.

---

Mitigations and recommended immediate actions​

When a maximum‑severity vulnerability affecting central management arrives, response must balance speed with operational safety. Recommended actions, in priority order:

• Identify and inventory: Immediately identify all FMC instances and record versions and configuration details, paying special attention to whether RADIUS authentication is enabled for web/SSH management.
• Apply vendor patches: Schedule and apply the vendor’s fixed releases as the primary remediation. Test updates in a lab or staging environment before production rollout where possible.
• Temporary mitigations if patching is delayed:
• Disable RADIUS authentication for FMC management interfaces and replace it with a safer alternative (local accounts, LDAP, SAML SSO) until the patch is applied.
• Restrict management access to FMC to a small, whitelisted set of IPs using ACLs or firewall rules; ideally, management traffic should be allowed only from a secure admin network or jump host.
• Ensure multi‑factor authentication (MFA) is used for administrative access wherever supported.
• Hardening and segmentation:
• Move management interfaces to an isolated management VLAN or dedicated out‑of‑band network.
• Use bastion/Jumphosts with hardened endpoints for administrative access.
• Monitor and hunt:
• Deploy focused detections for malformed RADIUS inputs, unexpected child shells, and anomalous admin activity.
• Perform integrity checks on FMC binaries and configuration backups for suspicious changes.
• Incident readiness:
• Prepare incident response playbooks that include steps for isolating compromised FMCs, restoring from clean backups, and rebuilding appliances when compromise is suspected.

Practical notes on mitigation:

• Disabling RADIUS may require a maintenance window and coordination with identity teams. Test authentication fallbacks before removing RADIUS from production management access to avoid locking out administrators.
• In environments where FMC management must remain reachable from multiple locations, use VPN gateways or dedicated management tunnels to reduce external exposure rather than opening management ports to wide networks.

---

Detection recipes and prioritized hunting queries​

Security operations teams should add the following hunts and alerts to their triage queues:

• Alert on RADIUS authentication attempts containing suspicious characters common in command injection payloads (e.g., semicolons, backticks, pipe characters, $(), ${}, and long contiguous strings).
• Detect any successful authentication followed immediately by a shell execution under the FMC management process or by unexpected process children.
• Flag sudden changes in FMC admin accounts, privileges, or policy push events outside of normal change windows.
• Correlate RADIUS server logs with FMC admin logs to find authentication attempts that reach the RADIUS server but are followed by anomalous system artifacts.

If enterprise IDS/IPS or EDR vendors publish signatures for this vulnerability, validate those signatures in a testing environment before deploying widely to avoid high false positive rates.

---

Risk assessment and threat landscape​

Why this matters for enterprises and MSPs​

FMC is commonly used by large enterprises, service providers, government entities, and educational institutions—organizations where FMC compromise can provide a single pivot point to disrupt or surveil a broad estate. Managed Service Providers (MSPs) operating multiple customers’ networks using a centralized FMC are particularly high‑risk; a compromise could cascade across multiple customer environments.

Historical context: Cisco products as attractive targets​

High‑profile networking vendors have historically been targeted by sophisticated threat actors because networking gear offers persistent visibility and control. The summer’s cluster of Cisco advisories—including multiple CVSS 10.0 issues reported earlier in related Cisco tooling—illustrates how a series of severe flaws in core management and identity products can rapidly escalate enterprise exposure.
While there was no confirmed public exploitation of this particular FMC RADIUS bug at the time of vendor disclosure, threat intelligence best practice assumes that widespread public disclosure often accelerates exploitation attempts. Organizations must plan as if exploitation is imminent and assume attackers will scan the Internet for vulnerable management interfaces.

---

Forensics and incident response: if you suspect compromise​

If an FMC instance is suspected of compromise, treat it as a potential full network‑control compromise because of the appliance’s admin role. Key response steps:

• Isolate the appliance from the network to prevent further malicious actions and lateral movement.
• Preserve volatile evidence: capture RAM (where feasible), process lists, and network captures before rebooting the device.
• Collect system logs, RADIUS logs, and any downstream device logs that might show policy changes or unexpected connections.
• Rebuild from known‑good images: because of the depth of potential OS‑level compromise enabled by command injection, the safest remediation is to rebuild the appliance from a clean, vendor‑provided image rather than attempt in‑place remediation of an infected system.
• Rotate administrative credentials and secrets that may have been accessible via the appliance.
• Notify stakeholders and follow legal/regulatory breach notification requirements when warranted.

---

Practical deployment checklist for administrators​

• Inventory all FMC instances and note the exact version strings and management authentication configurations.
• Immediately check whether RADIUS is enabled for web/SSH management on any FMC instance.
• If RADIUS is enabled and a rapid update path exists, prioritize patching those appliances first.
• If patching cannot be completed immediately:
• Disable RADIUS for management and configure alternative authentication.
• Restrict management network access using allow‑lists and jump servers.
• Validate logging and monitoring coverage for FMC: ensure logs are shipped to centralized SIEM, and retention is adequate for forensic analysis.
• Test patches in a non‑production environment to verify interoperability with authentication infrastructure before wide deployment.
• Communicate with third‑party vendors and MSPs that have admin access to FMCs to confirm they have patched or implemented mitigations.

---

Why some patches take time and how to plan around them​

Upgrading network security management platforms is operationally sensitive. FMC updates may necessitate:

• Coordinating downtime windows where managed devices remain protected by existing policies.
• Validating that the identity backend (e.g., RADIUS servers) interoperate with the patched FMC builds.
• Performing configuration backups and post‑upgrade validation to ensure policy, logging and monitoring continuity.

Enterprises should maintain a structured patch‑management process that includes a fast‑track escalation path for critical security fixes and an emergency rollback plan in case an update causes unexpected operational impact.

---

Broader implications and mitigation posture​

This vulnerability is another reminder that the management plane of security infrastructure is a critical defensive asset and a high‑value target. Hardening efforts must include:

• Least‑privilege administration and strict separation of duties.
• Network segmentation that keeps management networks off general user networks.
• Aggressive logging and immutable off‑appliance log collection.
• Regular vulnerability scanning and quick patching processes for management appliances.
• Immutable configuration backups and well‑tested rebuild procedures for rapid recovery.

Adopting these practices reduces blast radius if a management appliance is compromised and speeds recovery.

---

Final analysis and verdict​

CVE‑2025‑20265 is a textbook critical vulnerability: pre‑authentication remote command injection in a central management product used across enterprises and service providers. The fact that the flaw is limited to deployments using RADIUS for management authentication slightly lowers its universal impact, but does not reduce the urgency for affected organizations. The combination of a pre‑auth vector, a direct OS command‑execution outcome, and the centralized nature of FMC elevates this to an incident‑response priority for any organization that runs vulnerable FMC builds.
Recommended priorities for affected organizations:

• Treat all FMC instances that use RADIUS authentication as high risk until patched.
• Patch swiftly but safely—test in staging, then roll out in prioritized order.
• If patching cannot be immediate, disable RADIUS for management access, segment and restrict management network access, and monitor aggressively for signs of abuse.

Security teams should assume adversaries will scan for and target vulnerable management interfaces quickly after public disclosure. Proactive patching, rapid mitigations, and focused hunting will materially reduce the chance that an organization becomes one of the early victims.

---

The new FMC advisory also reinforces two perennial truths of enterprise security: the management plane deserves as much protection as the data plane, and centralized security tools, while simplifying operations, concentrate risk. Organizations that treat management consoles and identity integrations as untouchable after deployment do so at their peril; this incident is a timely call to action to harden, monitor and maintain fast remediation capabilities for core security infrastructure.

---

Source: theregister.com Max-severity Cisco firewall management bug leads to RCE