What critical vulnerability did Cisco patch in its Secure Firewall Management Center?

Cisco patched CVE-2025-20265 (CVSS score 10.0), an arbitrary shell command injection vulnerability that could allow unauthenticated remote attackers to execute commands with elevated privileges on affected systems, leading to complete compromise of firewall management infrastructure.

Which Cisco FMC versions are affected by CVE-2025-20265?

The critical flaw affects only specific versions of Cisco Secure FMC Software - releases 7.0.7 and 7.7.0 - but only when RADIUS authentication is enabled for the web-based management interface, SSH management, or both.

How does the CVE-2025-20265 vulnerability work?

The vulnerability is caused by improper handling of user input during the RADIUS authentication phase in the Cisco Secure FMC Software. Attackers can exploit this flaw by crafting malicious credentials that are processed during RADIUS server authentication.

How many vulnerabilities did Cisco patch in this security update?

Cisco patched 15 vulnerabilities in total: 1 critical vulnerability (CVE-2025-20265) with CVSS score 10.0, and 14 high severity vulnerabilities with CVSS scores ranging from 7.7 to 8.6.

What types of vulnerabilities were most common in this Cisco security update?

The majority of the vulnerabilities were denial-of-service flaws affecting various Cisco security products. These included vulnerabilities in Snort 3, IKEv2 implementations, SSL VPN services, and other network security components.

Which Cisco products are affected by these security vulnerabilities?

The affected products include Cisco Secure Firewall Management Center Software, Secure Firewall Threat Defense Software, Secure Firewall Adaptive Security Appliance, IOS and IOS XE software, and various Firepower series appliances including 2100, 3100, and 4200 series.

Are there any prerequisites for exploiting CVE-2025-20265?

Yes, the critical vulnerability can only be exploited on Cisco Secure FMC Software releases 7.0.7 and 7.7.0 when RADIUS authentication is specifically enabled for the web-based management interface, SSH management, or both.

What is the highest CVSS score among the non-critical vulnerabilities?

The highest CVSS scores among the non-critical vulnerabilities are 8.6, which apply to multiple denial-of-service vulnerabilities affecting various Cisco firewall and security products.

How should organizations respond to these Cisco security vulnerabilities?

Cisco has released free software updates to patch all these vulnerabilities and strongly recommends immediate patching. Organizations should prioritize the critical CVE-2025-20265 and implement workarounds if immediate patching is not possible.

What makes CVE-2025-20265 particularly dangerous?

CVE-2025-20265 is particularly dangerous because it has the maximum CVSS score of 10.0, allows unauthenticated remote command execution with elevated privileges, and could lead to complete compromise of firewall management infrastructure, which is critical for network security.

Do these vulnerabilities affect Cisco's cloud-hosted services?

The vulnerabilities primarily affect on-premises Cisco security appliances and software. Organizations using Cisco's cloud-hosted firewall management services should check with Cisco about the specific impact on their deployments.

What authentication methods are safe alternatives to RADIUS for CVE-2025-20265?

Safe alternatives to RADIUS authentication include local user accounts, external LDAP authentication, or SAML single sign-on (SSO). Switching to any of these methods can mitigate the risk while organizations prepare to apply the security patches.

Advisory

Cisco patches critical RADIUS authentication flaw and multiple high-severity flaws in firewall products

Q: What can organizations do if they cannot immediately patch CVE-2025-20265?

Organizations that cannot immediately upgrade can mitigate the risk by switching to alternative authentication methods such as local user accounts, external LDAP authentication, or SAML single sign-on (SSO) instead of RADIUS authentication.

published: Aug. 15, 2025

Take action: If you're using Cisco Secure Firewall Management Center versions 7.0.7 or 7.7.0 with RADIUS authentication enabled, plan a VERY quick patch because there's a flaw that allows system takeover without authentication. Until you can patch disable RADIUS authentication - switch to local accounts, LDAP, or SAML authentication instead. Even if your FMC is isolated from the internet, attackers using another vector to breach the org will find it.

Learn More

Cisco Systems is reporting a critical security vulnerability in its Secure Firewall Management Center (FMC) Software and has patched it as well as multiple high severity flaws:

Critical flaw:

CVE-2025-20265 (CVSS score 10.0) - an arbitrary shell command injection vulnerability that could allow unauthenticated remote attackers to execute commands with elevated privileges on affected systems, leading to complete compromise of firewall management infrastructure. It's caused by improper handling of user input during the RADIUS authentication phase in the Cisco Secure FMC Software. Attackers can exploit this flaw by crafting malicious credentials that are processed during RADIUS server authentication. The flaw affects only specific versions of Cisco Secure FMC Software - releases 7.0.7 and 7.7.0 - but only when RADIUS authentication is enabled for the web-based management interface, SSH management, or both.

Other patched flaws:

CVE-2025-20217 (CVSS score 8.6) - Cisco Secure Firewall Threat Defense Software Snort 3 Denial-of-Service Vulnerability
CVE-2025-20222 (CVSS score 8.6) - Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software for Firepower 2100 Series IPv6 over IPsec Denial-of-Service Vulnerability
CVE-2025-20224 (CVSS score 8.6) - Cisco IOS, IOS XE, Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial-of-Service Vulnerability
CVE-2025-20225 (CVSS score 8.6) - Cisco IOS, IOS XE, Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial-of-Service Vulnerability
CVE-2025-20239 (CVSS score 8.6) - Cisco IOS, IOS XE, Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial-of-Service Vulnerability
CVE-2025-20133 (CVSS score 8.6) - Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Remote Access SSL VPN Denial-of-Service Vulnerability
CVE-2025-20243 (CVSS score 8.6) - Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Remote Access SSL VPN Denial-of-Service Vulnerability
CVE-2025-20134 (CVSS score 8.6) - Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software SSL/TLS Certificate Denial-of-Service Vulnerability
CVE-2025-20136 (CVSS score 8.6) - Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Network Address Translation DNS Inspection Denial-of-Service Vulnerability
CVE-2025-20263 (CVSS score 8.6) - Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Web Services Denial-of-Service Vulnerability
CVE-2025-20148 (CVSS score 8.5) - Cisco Secure Firewall Management Center Software HTML Injection Vulnerability
CVE-2025-20251 (CVSS score 8.5) - Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Server Denial-of-Service Vulnerability
CVE-2025-20127 (CVSS score 7.7) - Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software for Firepower 3100 and 4200 Series TLS 1.3 Cipher Denial-of-Service Vulnerability
CVE-2025-20244 (CVSS score 7.7) - Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Remote Access VPN Web Server Denial-of-Service Vulnerability

Cisco has released free software updates to patch all these vulnerabilities and strongly recommends immediate patching. For the critical CVE-2025-20265, organizations that cannot immediately upgrade can mitigate the risk by switching to alternative authentication methods such as local user accounts, external LDAP authentication, or SAML single sign-on (SSO) instead of RADIUS authentication.

Cisco patches critical RADIUS authentication flaw and multiple high-severity flaws in firewall products

Read More
Juniper J-Web Junos OS Vulnerabilities Combined in Cybercrime …
JWT signature verification bypass enables account takeover in …
TeamViewer reports Security Incident in their internal IT …
Qualys reports two flaws in OpenSSH, one critical …
Perforce Helix Core Server fixes critical remote code …