22/08/2025

Week 34 – Fire at Cisco Secure FMC

18 – 24 Aug 2025

A newly disclosed CVSS 10.0 vulnerability puts Cisco Secure Firewall Management Center at risk, enabling remote attackers to seize root-level control without authentication.

Cisco Secure Firewall Management Center (FMC) is a centralized management platform used by enterprises and government networks to manage and monitor their Cisco Secure Firewall devices. It’s a critical component in many security infrastructures, providing a single point of control for policy management, threat intelligence, and event analysis. Due to its central role, any vulnerability affecting FMC can have a severe impact on the security posture of an entire organization.

Our CVE of the Week, CVE-2025-20265 is a critical vulnerability that allows an unauthenticated, remote attacker to execute arbitrary shell commands on affected Cisco Secure Firewall Management Center software.

This flaw has been assigned a CVSS score of 10.0 showing its potential harmful effect.

It roots from improper handling of user input within the RADIUS subsystem during the authentication process. When an FMC is configured to use RADIUS for its web-based management or SSH interface, it fails to properly sanitize special characters in the credentials submitted by a user. An attacker can exploit this by crafting a malicious payload within the username or password field. This payload, containing shell metacharacters, is then passed to the underlying operating system and executed with high privileges, typically as the root user. The attacker does not need valid credentials to exploit this, only network access to the management interface.

This vulnerability affects only Cisco Secure FMC Software releases 7.0.7 and 7.7.0 if they have RADIUS authentication enabled.

Cisco has released patches to address this vulnerability, although if immediate patching is not feasible, there is a mitigation option: administrators can disable RADIUS authentication for the web and SSH management interfaces and switch to a safer alternative, such as local user accounts, LDAP authentication, SAML-based Single Sign-On (SSO).

While these alternatives can help, the most effective and recommended course of action is to apply the official security updates provided by Cisco as soon as possible. It is also a good practice to review and harden all authentication mechanisms to prevent similar vulnerabilities in the future.

Official Cisco Security Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-radius-rce-TNBKf79

White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024.

With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.

They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.

Author: White Hat IT Security

Filed Under: CVE of the Week

Tags: cve, cveoftheweek, cybersecurity, firewall, informationsecurity

Week 33 – Patch your FortiSIEM today!