Cisco has disclosed a critical vulnerability in its Secure Firewall Management Center (FMC) Software.
The remote code execution (RCE) flaw, CVE-2025-20265, has a maximum CVSS severity score of 10.0. Customers have been urged to apply software updates as soon as possible to avoid potential compromise.
The vulnerability is contained in the RADIUS system implementation of Cisco FMC software. If exploited, it can allow an unauthenticated, remote attacker to inject arbitrary shell commands that are executed by the device.
RADIUS is an access server authentication and accounting protocol used by Cisco devices, enabling secure network access by verifying user credentials and managing network resource usage.
“This vulnerability is due to a lack of proper handling of user input during the authentication phase. An attacker could exploit this vulnerability by sending crafted input when entering credentials that will be authenticated at the configured RADIUS server. A successful exploit could allow the attacker to execute commands at a high privilege level,” the tech giant warned in an advisory dated August 14.
The bug affects Cisco Secure FMC Software releases 7.0.7 and 7.7.0 if they have RADIUS authentication enabled.
How to Address the Firewall Management Flaw
The notification is part of a bundled publication which includes 21 Cisco Security Advisories that described 29 vulnerabilities in Cisco Secure Firewall ASA, Secure FMC, and Secure FTD Software.
Cisco has offered customers a free software update to address the specific Secure FMC flaw. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.
There are no workarounds that address the vulnerability. However, as it can only be exploited if RADIUS authentication is configured, Cisco said customers can mitigate the issue by switching to another type of authentication, such as local user accounts, external LDAP authentication or SAML single sign-on (SSO).
The latest Cisco advisory follows a spate of reported exploitations of the firm’s products in 2025.
In July, the US Cybersecurity and Infrastructure Security Agency (CISA) added two critical flaws in Cisco Identity Services Engine (ISE) Software to its Known Exploited Vulnerabilities (KEV) catalog.
In March, the agency ordered federal government bodies to patch CVE-2023-20118, a command injection vulnerability in the web-based management interface of multiple Cisco Small Business RV Series routers.
Cisco revealed in February that Chinese state-sponsored actor Salt Typhoon gained access to US telecoms providers through Cisco devices, leveraging a custom-built utility called JumbledPath.