Cisco is warning of an important remote code execution (RCE) vulnerability in its safe Firewall Management Center (FMC) Software Radius Subsistem.
Cisco FCM seller is a management platform for safe firewall products, which provides a centralized web or SSH-based interfaces to allow administrators to configure, monitor and update Cisco Firewalls.
Radius in FMC is an alternative external authentication method that allows a remote authentication dial-in user to connect to the service server rather than local accounts.
This configuration is usually used in enterprise and government networks where administrators want accounting for centralized login control and network devices access.
The recently revealed vulnerability has been tracked as CVE-2025-20265 and a maximum severity score of 10 has been obtained.
This can be exploited to allow an informal remote attacker to send a specially prepared input while entering credentials during radius authentication steps.
An opponent thus can achieve arbitrary shell command execution with advanced privileges.
“A vulnerability in the Radius Subsistem Implementation of the Cisco Secure Firewall Management Center (FMC) Software may allow an informal, remote attacker to inject the arbitrary shell command executed by the device,” Warns Cisco in security bulletin,
“This vulnerability is due to lack of proper handling of the user input during the authentication phase,” says the seller. The CVE-2025-20265 FMC version affects 7.0.7 and 7.7.0 when Radius certification is capable of web-based management interfaces, SSH management or both.
Cisco has released free software updates that address the problem. The fix was issued to customers with a valid service contract through regular channels.
If the patch cannot be installed, the recommended mitigation of Cisco is to disable the radius authentication and replace it with a separate method (such as local user accounts, outer LDAP, or SAML single sign-on).
Cisco noted that this mitigation acted in the test, but customers would have to verify its sufficiency and the impact in their environment.
The vulnerability was discovered by Cisco’s security researcher Brandon Sakai, and the seller is not aware of the vulnerability to exploit in the wild.
With CVE-2025-20265, Cisco also released a fix for 13 high-seriousness flaws in various products, none of them were actively marked as exploitation:
The seller says that there are no workarounds for any of the above security issues except CVE-2025-20127, where TLS is recommended to remove 1.3 ciphers.
The seller recommends installing the available latest updates for all other issues.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
