Security Bulletin: Cisco Secure Firewall Management Center (FMC) RADIUS Remote Code Execution Vulnerability

About:

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

VULNERABILITIES

Cisco Secure Firewall Management Center (FMC) RADIUS Remote Code Execution Vulnerability

CVSS Score: 10.0 (Critical)
Identifier: CVE-2025-20265
Exploit or POC:  No
Update:  CVE-2025-20265 – Cisco Security Advisory

Description: CVE-2025-20265 is a critical command injection vulnerability in Cisco Secure Firewall Management Center (FMC). The flaw arises from improper input validation in the RADIUS authentication subsystem. An unauthenticated remote attacker can exploit it by submitting crafted credentials during authentication, potentially injecting and executing arbitrary shell commands with elevated privileges. This exposure can occur only if FMC is configured to use RADIUS for web-based or SSH management authentication.

Affected Versions:

Mitigation Recommendation: 

• Apply Cisco’s security update for the affected FMC versions immediately.
• If patching cannot be performed right away, disable RADIUS authentication and switch to alternative methods such as local accounts, LDAP, or SAML SSO.
• Limit access to FMC management interfaces using network segmentation, firewall rules, and access control lists.
• Monitor authentication logs for anomalous or suspicious credential attempts that may indicate exploitation.