CVE-2025-20265
📋 TL;DR
This critical vulnerability in Cisco Secure Firewall Management Center allows unauthenticated remote attackers to execute arbitrary shell commands with high privileges by sending crafted input during RADIUS authentication. Only systems configured for RADIUS authentication for web or SSH management interfaces are affected. Attackers could gain complete control of the management system.
💻 Affected Systems
- Cisco Secure Firewall Management Center (FMC)
📦 What is this software?
Secure Firewall Management Center by Cisco
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the firewall management system, allowing attackers to reconfigure firewalls, exfiltrate network data, pivot to internal networks, and disrupt security operations.
Likely Case
Remote code execution leading to installation of backdoors, credential theft, and lateral movement within the network.
If Mitigated
No impact if RADIUS authentication is not configured or if proper network segmentation isolates the management interface.
🎯 Exploit Status
Exploitation requires sending crafted input during RADIUS authentication process. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.6.0 and later
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-radius-rce-TNBKf79
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download and install Cisco Secure FMC Software version 7.6.0 or later from Cisco Software Center. 3. Reboot the system after installation. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable RADIUS Authentication
allTemporarily disable RADIUS authentication and use local authentication until patching is complete.
Network Segmentation
allRestrict access to FMC management interfaces to trusted networks only using firewall rules.
🧯 If You Can't Patch
- Disable RADIUS authentication immediately and switch to local authentication
- Implement strict network access controls to limit FMC management interface exposure
🔍 How to Verify
Check if Vulnerable:
Check if RADIUS authentication is enabled in System > Users > Authentication and check FMC version is below 7.6.0Check Version:
show version (via CLI) or check System > Updates in web interfaceVerify Fix Applied:
Verify FMC version is 7.6.0 or higher via System > Updates > Installed Updates📡 Detection & Monitoring
Log Indicators:
- Unusual RADIUS authentication attempts
- Failed authentication with unusual characters in username/password fields
- Shell command execution in system logs
Network Indicators:
- Unusual traffic to FMC RADIUS ports (1812/1813)
- Multiple failed authentication attempts from single source
SIEM Query:
source="fmc" AND (event_type="authentication" AND (username CONTAINS special_characters OR status="failed"))