Cisco Patches Critical FMC RADIUS Flaw (CVE-2025-20265) with CVSS 10.0 Rating

Cisco has released critical security updates to address a maximum-severity flaw in its Secure Firewall Management Center (FMC) Software. The vulnerability, tracked as CVE-2025-20265, carries a perfect CVSS score of 10.0 and could allow attackers to execute arbitrary code remotely without authentication.

The flaw exists in the RADIUS subsystem of Cisco Secure FMC Software. Due to improper handling of user input during the authentication process, a remote attacker can send specially crafted input when entering credentials. This malicious input is processed by the system and passed to the configured RADIUS server, allowing the attacker to inject shell commands.

If exploited successfully, the attacker could run commands with high privilege levels, potentially taking full control of the affected system.

Cisco clarified that this issue only affects systems configured for RADIUS authentication—either for the web-based management interface, SSH management, or both. Systems that do not use RADIUS authentication are not vulnerable to this exploit.

The vulnerability impacts:

• Cisco Secure FMC Software versions 7.0.7 and 7.7.0

• Only if RADIUS authentication is enabled

There are no workarounds for this flaw apart from applying the security patches provided by Cisco. The vulnerability was discovered by Brandon Sakai of Cisco during internal security testing.

With a CVSS score of 10.0, this flaw is rated critical. Remote Code Execution (RCE) vulnerabilities like CVE-2025-20265 are considered among the most dangerous because they allow attackers to run any command on the target system, often leading to data theft, malware deployment, or complete system compromise.

Given that network appliances are frequent targets for attackers, delaying updates could significantly increase the risk of exploitation once public proof-of-concept (PoC) code becomes available.

Alongside CVE-2025-20265, Cisco also patched multiple high-severity vulnerabilities affecting different security products, including Secure Firewall Threat Defense Software, Adaptive Security Appliance (ASA), and Cisco IOS / IOS XE. Some of the notable fixes include:

1. CVE-2025-20217 (CVSS 8.6) – Snort 3 Denial-of-Service (DoS) in Secure Firewall Threat Defense Software.

2. CVE-2025-20222 (CVSS 8.6) – IPv6 over IPsec DoS in Firepower 2100 Series devices.

3. CVE-2025-20224, CVE-2025-20225, CVE-2025-20239 (CVSS 8.6) – IKEv2 DoS vulnerabilities affecting multiple Cisco security products.

4. CVE-2025-20133, CVE-2025-20243 (CVSS 8.6) – Remote Access SSL VPN DoS vulnerabilities in ASA and Secure Firewall Threat Defense Software.

5. CVE-2025-20134 (CVSS 8.6) – SSL/TLS certificate-related DoS flaw.

6. CVE-2025-20136 (CVSS 8.6) – DNS inspection DoS in Network Address Translation (NAT) handling.

7. CVE-2025-20263 (CVSS 8.6) – Web Services DoS vulnerability in ASA and Threat Defense Software.

8. CVE-2025-20148 (CVSS 8.5) – HTML injection flaw in FMC Software.

9. CVE-2025-20251 (CVSS 8.5) – VPN web server DoS vulnerability.

10. CVE-2025-20127 (CVSS 7.7) – TLS 1.3 cipher DoS in Firepower 3100 and 4200 Series.

11. CVE-2025-20244 (CVSS 7.7) – Remote Access VPN web server DoS flaw.

Even though Cisco confirmed that none of these vulnerabilities are currently exploited in the wild, history shows that attackers often target network appliances shortly after vulnerabilities are disclosed. For example, past Cisco firewall and VPN vulnerabilities have been exploited within days of public disclosure.

Patching is essential because:

• Exploits for RCE vulnerabilities often spread quickly.

• Network appliances like FMC and ASA are high-value targets—they sit at the perimeter and control traffic.

• Successful exploitation could give attackers a stepping stone into internal networks.

Cisco strongly advises all administrators to:

1. Check your FMC Software version – If you are running version 7.0.7 or 7.7.0 with RADIUS authentication enabled, you are at high risk.

2. Apply the official Cisco patches immediately – There are no temporary fixes or configuration changes that can fully mitigate CVE-2025-20265.

3. Review your network logs – Look for unusual authentication requests or suspicious command execution patterns.

4. Disable unused authentication methods – If RADIUS authentication is not required, disabling it can reduce attack surface.

CVE-2025-20265 is a critical Cisco firewall vulnerability that demands urgent patching. With a perfect CVSS 10.0 score, it poses a severe risk of remote code execution without authentication. While there’s no evidence of active attacks yet, threat actors are quick to weaponize such flaws, making immediate patching the safest course of action.