Vulnerability cyber

Cisco

Aug 15, 2025 3 min read
Cisco

Cisco disclosed CVE-2025-20265, a critical (CVSS 10.0) remote code execution (RCE) vulnerability in its Secure Firewall Management Center (FMC) Software, affecting versions 7.0.7 and 7.7.0 when RADIUS authentication is enabled. The flaw stems from improper input validation during RADIUS credential processing, allowing unauthenticated attackers to inject and execute arbitrary shell commands with high-level privileges remotely. No authentication or user interaction is required, making it highly exploitable.The vulnerability poses a severe risk as it enables full system compromise, potentially leading to lateral movement, data exfiltration, or complete takeover of firewall management infrastructure. While no public exploitation has been reported yet, the lack of workarounds (beyond disabling RADIUS) and the critical severity demand immediate patching. Cisco has released fixes but warns that mitigation requires disabling RADIUS, which may disrupt operational workflows.The flaw was discovered internally, underscoring the proactive threat of unpatched enterprise firewall systems. Organizations failing to patch risk catastrophic breaches, including unauthorized access to sensitive networks, credential theft, or downstream attacks on connected systems.

Source: https://cybersecuritynews.com/cisco-secure-firewall-vulnerability/

TPRM report: https://www.rankiteo.com/company/cisco

"id": "cis751081525",
"linkid": "cisco",
"type": "Vulnerability",
"date": "5/2025",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"
{'affected_entities': [{'industry': ['Networking Hardware', 'Cybersecurity'],
                        'location': 'San Jose, California, USA',
                        'name': 'Cisco Systems, Inc.',
                        'size': 'Large Enterprise',
                        'type': 'Corporation'}],
 'attack_vector': ['Network',
                   'RADIUS Authentication Exploitation',
                   'Unauthenticated'],
 'customer_advisories': ['Customers using Cisco Secure FMC with RADIUS enabled '
                         'should apply updates or disable RADIUS immediately.'],
 'date_publicly_disclosed': 'August 2025',
 'description': 'Cisco has disclosed a critical security vulnerability '
                '(CVE-2025-20265, CVSS 10.0) in its Secure Firewall Management '
                'Center (FMC) Software, allowing unauthenticated attackers to '
                'execute arbitrary shell commands with high-level privileges '
                'remotely. The flaw resides in the RADIUS subsystem during the '
                'authentication phase, where improper input validation enables '
                'command injection via specially crafted credentials. No '
                'authentication is required, and exploitation is possible over '
                'the network. Affected versions include Cisco Secure FMC '
                'Software 7.0.7 and 7.7.0 when RADIUS authentication is '
                'enabled. No workarounds exist; patching or disabling RADIUS '
                'authentication (switching to LDAP/SAML/local accounts) are '
                'the only mitigations. Cisco has released free updates and '
                'urges immediate action. No public exploitation has been '
                'reported.',
 'impact': {'brand_reputation_impact': ['High (critical vulnerability in '
                                        'enterprise firewall infrastructure)'],
            'operational_impact': ['Potential disruption if RADIUS '
                                   'authentication is disabled (requires '
                                   'reconfiguration to LDAP/SAML/local '
                                   'accounts)',
                                   'Emergency patching may require maintenance '
                                   'windows'],
            'systems_affected': ['Cisco Secure Firewall Management Center '
                                 '(FMC) Software (versions 7.0.7, 7.7.0 with '
                                 'RADIUS enabled)']},
 'investigation_status': 'Disclosed; No public exploitation reported. Internal '
                         'discovery by Cisco.',
 'lessons_learned': ['Proactive internal security testing can uncover critical '
                     'vulnerabilities before exploitation (discovered by '
                     'Brandon Sakai of Cisco).',
                     'Vulnerabilities in authentication systems (e.g., RADIUS) '
                     'can have severe impacts if input validation is '
                     'insufficient.',
                     'Lack of workarounds for critical flaws underscores the '
                     'importance of patch management and alternative '
                     'mitigation strategies (e.g., disabling vulnerable '
                     'features).'],
 'post_incident_analysis': {'corrective_actions': ['Released patched software '
                                                   'versions.',
                                                   'Recommended disabling '
                                                   'RADIUS authentication as a '
                                                   'temporary mitigation.'],
                            'root_causes': ['Insufficient input validation in '
                                            'RADIUS authentication subsystem.',
                                            'Improper handling of '
                                            'user-supplied credentials during '
                                            'authentication.']},
 'recommendations': ['Immediately patch affected Cisco Secure FMC Software '
                     '(versions 7.0.7, 7.7.0) to the latest release.',
                     'Disable RADIUS authentication if patching is not '
                     'immediately feasible, and switch to LDAP, SAML SSO, or '
                     'local accounts.',
                     "Prioritize this vulnerability as a 'priority-one' "
                     'patching scenario due to its critical severity (CVSS '
                     '10.0) and potential for unauthenticated remote code '
                     'execution.',
                     'Conduct a review of all authentication mechanisms in '
                     'enterprise firewall infrastructure to identify similar '
                     'input validation risks.',
                     'Monitor for unusual authentication attempts or command '
                     'execution on FMC systems until patches are applied.'],
 'references': [{'date_accessed': 'August 2025',
                 'source': 'Cisco Security Advisory: CVE-2025-20265',
                 'url': 'https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-KLJ98X7Q'},
                {'date_accessed': 'August 2025',
                 'source': 'Cisco August 2025 Semiannual Security Advisory '
                           'Bundled Publication',
                 'url': 'https://sec.cloudapps.cisco.com/security/center/publicationListing.x'}],
 'response': {'communication_strategy': ['Public advisory via Cisco’s August '
                                         '2025 Semiannual Security Advisory '
                                         'Bundled Publication',
                                         'Urgent recommendation for immediate '
                                         'patching'],
              'containment_measures': ['Disable RADIUS authentication (switch '
                                       'to LDAP/SAML/local accounts)'],
              'incident_response_plan_activated': True,
              'remediation_measures': ['Apply free software updates provided '
                                       'by Cisco']},
 'stakeholder_advisories': ['Urgent patching recommended for all affected '
                            'organizations.'],
 'title': 'Critical Remote Code Execution Vulnerability in Cisco Secure '
          'Firewall Management Center (FMC) Software (CVE-2025-20265)',
 'type': ['Vulnerability Disclosure',
          'Remote Code Execution (RCE)',
          'Command Injection'],
 'vulnerability_exploited': {'affected_versions': ['7.0.7', '7.7.0'],
                             'component': 'RADIUS Subsystem (Authentication '
                                          'Phase)',
                             'cve_id': 'CVE-2025-20265',
                             'cvss_score': 10.0,
                             'prerequisites': ['RADIUS authentication enabled '
                                               'for web/SSH management'],
                             'root_cause': 'Insufficient Input Validation'}}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.