Cisco has released a security update to address the biggest security flaws in the Secure Firewall Management Center (FMC) software, which allows attackers to run arbitrary code on affected systems.
The vulnerability assigned a CVE identifier CVE-2025-20265 (CVSS score: 10.0) affects the implementation of the RADIUS subsystem, which allows an unauthorized remote attacker to inject any shell commands executed by the device.
The Networking Equipment Major said the issue was due to the lack of proper handling of user input during the authentication phase. As a result, an attacker can send specially created input when entering credentials that are authenticated with the configured RADIUS server.
“A successful exploit allows an attacker to execute commands at a high level of privilege,” the company said in its recommendation on Thursday. “To exploit this vulnerability, Cisco Secure FMC software must be configured for RADIUS authentication with a web-based management interface, SSH management, or both.”
The downside is that if the Cisco Secure FMC software has RADIUS authentication enabled, it releases 7.0.7 and 7.7.0. There is no other workaround than applying the patches provided by the company. Cisco’s Brandon Sakai is believed to have discovered the issue during internal security testing.
In addition to CVE-2025-20265, Cisco has also solved many high-end bugs –
- CVE-2025-20217 (CVSS score: 8.6) – Vulnerability in Cisco Secure Firewall Threat Defense Software Snort 3 Service
- CVE-2025-20222 (CVSS score: 8.6) – Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software FOR FIREPOWER 2100 Series IPv6
- CVE-2025-20224, CVE-2025-20225, CVE-2025-20239 (CVSS score: 8.6) – Vulnerability in Cisco iOS, iOS XE, Secure Firewall Adaptive Security Appliance, Secure Firewall Threat Defense Software IKEV2 Service
- CVE-2025-20133, CVE-2025-20243 (CVSS score: 8.6) – Cisco Secure Firewall Adaptive Security Appliances and Secure Firewall Threat Defense Software Remote Access SSL VPN Deny Vulnerability Vulnerability
- CVE-2025-20134 (CVSS score: 8.6) – Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software SSL/TLS Certificate Negation Vulnerability
- CVE-2025-20136 (CVSS score: 8.6) – Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Network Address Translation DNS Inspection Reject Vulnerability
- CVE-2025-20263 (CVSS score: 8.6) – Cisco Secure Firewall Adaptive Security Appliances and Secure Firewall Threat Defense Software Web Denial of Service Vulnerability
- CVE-2025-20148 (CVSS score: 8.5) – Cisco Secure Firewall Management Center Software HTML Injection Vulnerability
- CVE-2025-20251 (CVSS score: 8.5) – Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Server Deny Service Vulnerability
- CVE-2025-20127 (CVSS score: 7.7) – Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software For FirePower 3100 and 4200 Series TLS 1.3
- CVE-2025-20244 (CVSS score: 7.7) – Cisco Secure Firewall Adaptive Security Appliances and Secure Firewall Threat Defense Software Remote Access VPN Web Server Deny Service Vulnerability
Network appliances are repeatedly caught up in the attacker’s crosshairs, so there is no flaw under aggressive exploitation in the wild, but it is essential that users move quickly to update their instances to the latest version.
