Introduction
Remote attackers can gain privileged shell access to Cisco Secure Firewall Management Center (FMC) Software simply by sending crafted credentials to the management interface or SSH. This vulnerability (CVE-2025-20265) impacts enterprise environments that rely on centralized RADIUS authentication for administrative access. With a CVSS score of 10.0, the risk is severe for any unpatched deployment.
Cisco is a dominant force in enterprise networking and security, with its Secure Firewall Management Center (FMC) serving as the central platform for managing next-generation firewall and intrusion prevention deployments. FMC is widely used in large organizations and government networks, making vulnerabilities in this product especially impactful.
Technical Information
CVE-2025-20265 is a command injection vulnerability in the RADIUS authentication subsystem of Cisco Secure Firewall Management Center (FMC) Software. The flaw arises from improper handling and sanitization of user input during the authentication phase. Specifically, when FMC is configured to use RADIUS for authenticating access to its web-based management interface or SSH, the software fails to neutralize special elements (such as shell metacharacters) in user-supplied credentials.
As a result, an unauthenticated remote attacker can submit specially crafted credentials containing shell command sequences. These are then executed by the underlying operating system with high privileges, granting the attacker full control over the FMC device. The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).
Key technical points:
- Exploitation does not require valid credentials, only network access to the affected management interface (web or SSH)
- The vulnerable code path is only present when RADIUS authentication is enabled for these interfaces
- The injected commands run with the privileges of the FMC process, typically root or equivalent
- The flaw is due to a lack of input validation before passing user-supplied data to the shell
No public code snippets or detailed vulnerable code fragments have been released as of this writing.
Patch Information
Cisco has addressed the command injection vulnerability in the Secure Firewall Management Center (FMC) Software by releasing updated software versions. (sec.cloudapps.cisco.com) To mitigate this issue, users should upgrade to the latest fixed release as specified in the advisory. It's crucial to ensure that the device has sufficient memory and that the current hardware and software configurations are compatible with the new release. If there are any uncertainties, contacting the Cisco Technical Assistance Center (TAC) or your maintenance provider is recommended.
Affected Systems and Versions
- Cisco Secure Firewall Management Center (FMC) Software
- Only systems configured for RADIUS authentication for web-based management or SSH are vulnerable
- The specific affected versions are detailed in the Cisco advisory (cisco-sa-fmc-radius-rce-TNBKf79)
- Version ranges and fixed releases are listed in the advisory. Users should consult the advisory for exact version details and upgrade paths.
Vendor Security History
Cisco has experienced several critical vulnerabilities in Secure Firewall Management Center and related security products in recent years. Notable examples include:
- Command injection vulnerabilities in FMC (see cisco-sa-fmc-cmd-inj-v3AWDqN7)
- Multiple remote code execution and authentication bypass flaws across the security product line
Cisco typically issues advisories and patches quickly after disclosure. However, the recurrence of input validation and command injection issues highlights ongoing challenges in secure development and code review practices within the vendor's security product teams.