Cisco FMC RADIUS Flaw Scores CVSS 10 for Pre-Auth RCE

Cisco has disclosed a maximum-severity vulnerability in its Secure Firewall Management Center (FMC) software that allows unauthenticated remote attackers to execute arbitrary commands as root. The flaw, tracked as CVE-2025-20265, carries a CVSS score of 10.0—the highest possible rating.

TL;DR

• What happened: Critical command injection flaw in Cisco FMC RADIUS authentication subsystem
• Who's affected: FMC versions 7.0.7 and 7.7.0 with RADIUS authentication enabled
• Severity: Critical (CVSS 10.0) - no authentication required
• Action required: Upgrade immediately or switch to local, LDAP, or SAML authentication

The Vulnerability

The vulnerability exists in the RADIUS subsystem implementation of Cisco Secure FMC Software. When FMC is configured to use RADIUS for authenticating access to the web-based management interface, SSH management, or both, an attacker can inject malicious shell commands during the authentication phase.

According to Cisco's security advisory, the root cause is improper handling of user-supplied input during RADIUS authentication. An attacker simply needs to craft malicious input when submitting credentials that will be processed by the RADIUS server—no valid credentials are required.

The vulnerability characteristics make this particularly dangerous:

• Attack vector: Network (remotely exploitable)
• Attack complexity: Low
• Privileges required: None
• User interaction: None
• Scope: Changed (can affect resources beyond the vulnerable component)

Successfully exploiting this flaw grants attackers the ability to execute arbitrary shell commands with root-level privileges on the underlying operating system. That level of access effectively means complete control over the firewall management infrastructure.

Affected Systems

The vulnerability specifically impacts Cisco Secure Firewall Management Center Software releases 7.0.7 and 7.7.0. Organizations running these versions should verify their authentication configuration immediately.

Systems are vulnerable only when RADIUS authentication is enabled for the web-based management interface, SSH management, or both. Deployments using local user accounts, LDAP authentication, or SAML single sign-on are not affected.

No Workarounds Available

Cisco has stated there are no workarounds that fully address this vulnerability. However, organizations unable to patch immediately can mitigate risk by switching to an alternative authentication method:

1. Local user accounts: Configure administrative access using local credentials
2. External LDAP: Use LDAP directory authentication instead of RADIUS
3. SAML SSO: Implement SAML-based single sign-on

These mitigations reduce the attack surface but should be considered temporary measures. The only complete fix is upgrading to a patched software release.

Why This Matters

Firewall management platforms represent crown jewels in network infrastructure. An attacker with root access to FMC can manipulate firewall policies, create backdoors, disable security controls, and pivot deeper into corporate networks. The pre-authentication nature of CVE-2025-20265 makes it especially attractive for initial access operations.

This vulnerability arrives amid heightened concern about network appliance security. CISA's recent Binding Operational Directive 26-02 mandates federal agencies replace or remediate vulnerable edge devices—a recognition that attackers increasingly target these systems. Cisco products have been repeatedly caught in the crosshairs, including recent SD-WAN zero-days exploited by threat actors.

Organizations using Cisco's AsyncOS-based products should also review their exposure, as Cisco has released multiple patches for command injection vulnerabilities across its email and web security appliances in recent months.

Recommendations

Security teams should take the following steps:

1. Inventory FMC deployments: Identify all instances running versions 7.0.7 or 7.7.0
2. Check authentication configuration: Determine if RADIUS is enabled for management access
3. Apply patches: Upgrade to a fixed software release through Cisco's regular update channels
4. Implement mitigations: If patching isn't immediately possible, disable RADIUS and switch to alternative authentication
5. Monitor for exploitation: Review logs for suspicious authentication attempts or unexpected command execution

Cisco has released free software updates to address the vulnerability. Customers with valid service contracts can obtain the fix through Cisco's standard software distribution channels.

While no active exploitation has been reported in the wild as of the advisory date, the maximum CVSS score and pre-authentication attack vector make this a high-priority patch. Network appliances have become favorite targets for both sophisticated nation-state groups and financially motivated attackers, and a CVSS 10.0 vulnerability is guaranteed to attract attention.

The vulnerability is tracked under Cisco Bug ID CSCwo91250.