CVE-2025-20302
4.3 MEDIUM
📋 TL;DR
This vulnerability allows authenticated low-privileged users on Cisco Secure FMC to bypass authorization checks and access reports from different domains managed on the same instance. Attackers can read activity data from domains they shouldn't have access to. Only affects Cisco Secure FMC deployments with multiple domains configured.
💻 Affected Systems
Products:
- Cisco Secure Firewall Management Center
Versions: Multiple versions prior to 7.4.1
Operating Systems: Cisco Secure FMC appliance OS
Default Config Vulnerable:
⚠️ Yes
Notes: Only affects multi-domain deployments. Single-domain deployments are not vulnerable.
📦 What is this software?
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
Secure Firewall Management Center by Cisco
⚠️ Risk & Real-World Impact
Worst Case
Sensitive domain-specific activity data (firewall logs, intrusion events, user activity) is exposed to unauthorized users, potentially revealing security posture, incident details, or compliance violations.
Likely Case
Low-privileged users access limited activity reports from other domains, potentially gaining insight into security events or configurations they shouldn't see.
If Mitigated
With proper network segmentation and access controls, impact is limited to authorized users within the same security zone.
🌐 Internet-Facing: MEDIUM - While authentication is required, exposed management interfaces increase attack surface for credential-based attacks.
🏢 Internal Only: MEDIUM - Internal attackers with valid credentials can exploit this to access cross-domain information.
🎯 Exploit Status
Public PoC:
✅ No
Weaponized:
UNKNOWN
Unauthenticated Exploit:
✅ No
Complexity:
MEDIUM
Requires authenticated access and knowledge of report URLs/IDs. No special tools needed beyond web browser or API client.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.4.1 and later
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-authz-bypass-M7xhnAu
Restart Required: No
Instructions:
1. Log into Cisco Secure FMC web interface. 2. Navigate to System > Updates. 3. Download and apply version 7.4.1 or later. 4. Verify update completes successfully.
🔧 Temporary Workarounds
Restrict Report Access
allImplement strict access controls on report directories and limit user permissions to only necessary domains.
🧯 If You Can't Patch
- Implement network segmentation to isolate FMC management interface from untrusted networks.
- Review and restrict user permissions to minimum necessary access, especially for low-privileged accounts.
🔍 How to Verify
Check if Vulnerable:
Check FMC version via web interface: System > Updates > Current Version. If below 7.4.1 and multi-domain is enabled, system is vulnerable.Check Version:
ssh admin@fmc-host 'show version' or check web interface at System > UpdatesVerify Fix Applied:
After patching, verify version is 7.4.1 or higher and test that low-privileged users cannot access reports from unauthorized domains.📡 Detection & Monitoring
Log Indicators:
- Unusual report access patterns across domains
- Low-privileged users accessing reports with different domain IDs
- Failed authorization attempts for cross-domain report access
Network Indicators:
- HTTP requests to report endpoints with different domain parameters from low-privileged users
SIEM Query:
source="fmc_logs" AND (event_type="report_access" AND user_privilege="low" AND domain_change="true")