Cisco released an emergency software update Thursday for a maximum-severity vulnerability that allows unauthenticated attackers to seize full control of Secure Firewall Management Center (FMC) appliances—the brain of enterprise firewall deployments—simply by firing crafted login credentials at a RADIUS-authenticated management interface.

The flaw, tracked as CVE-2025-20265, scored a perfect 10.0 on the CVSS scale. It gives remote attackers the ability to inject and execute arbitrary shell commands at high privilege levels without requiring any valid account, Cisco confirmed in its advisory. The only precondition: the target FMC must be configured to use RADIUS authentication for its web UI, SSH access, or both.

Discovery and Disclosure
The vulnerability was discovered internally by Cisco software engineer Brandon Sakai during security testing and reported to the Product Security Incident Response Team (PSIRT). Cisco published its security bulletin on August 15, releasing fixed software for affected releases and urging immediate patching. The advisory states there are no workarounds that fully mitigate the flaw, though temporarily disabling RADIUS and using alternative authentication methods can neutralize the risk until patches are applied.

At the time of disclosure, Cisco had no evidence of active exploitation. However, given the high value of FMC—centralized management consoles for network security devices are prized targets for state-sponsored threat actors—security practitioners universally consider rapid exploitation likely once proof-of-concept code surfaces.

How the Attack Works
The root cause is improper handling of user-supplied input in the RADIUS authentication path during the login process. When FMC passes credentials to a configured RADIUS server, the system fails to sufficiently sanitize or validate the data before processing. An attacker can embed shell metacharacters—semicolons, backticks, pipe symbols, or command substitution constructs—inside username or password fields. Because the input flows directly into OS-level operations, the crafted string is interpreted as a command and executed on the appliance’s underlying operating system.

This is a classic command injection vulnerability, but its pre-authentication nature escalates severity dramatically. The attacker requires no prior access; simply reaching the management interface over the network is enough. Once exploited, the payload can spawn a reverse shell, drop persistent backdoors, tamper with firewall policies, exfiltrate monitoring data, or pivot to downstream devices managed by the same FMC.

Affected Systems and Scope
Only FMC releases specifically identified in Cisco’s advisory are vulnerable. Administrators must check their exact build numbers against the fixed-release table. Devices running Secure Firewall ASA or Secure FTD software are not affected by this particular RADIUS implementation issue.

The vulnerability’s impact is not universal because it depends on RADIUS deployment. Organizations that use local accounts, LDAP, or SAML for FMC management authentication without RADIUS are not directly susceptible. However, many enterprises rely on RADIUS for centralized authentication, making the affected footprint significant. Managed service providers (MSPs) that administer multiple customer firewalls through a single FMC face an especially high risk of a cascading breach.

A String of Critical Cisco Bugs
CVE-2025-20265 is the third major Cisco flaw to earn a perfect 10.0 this summer. In June and July, Cisco patched a trio of remote code execution vulnerabilities (CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337) in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). Those also allowed unauthenticated root-level code execution. The rapid sequence underscores the intense focus of both security researchers and threat actors on network infrastructure management tools.

Why the Management Plane Demands Extra Protection
“If you own the FMC, you own the whole shop,” security architect Sarah Clarke noted in a threat briefing. FMC aggregates telemetry, pushes configurations, and enforces policies across hundreds of firewall and intrusion prevention sensors. A compromised FMC can be used to silently disable defenses, create covert tunnels, exfiltrate decrypted traffic logs, and manipulate incident response workflows. The blast radius dwarfs that of a single firewall compromise.

Heightened attention is also warranted because management interfaces are often exposed on internal networks with insufficient segmentation. In audits, security teams routinely find FMC web consoles accessible from user subnets or over VPN gateways without the tight access controls applied to the firewalls themselves. This bug reinforces the principle that management and data planes must be segregated with equal rigor.

Detection and Threat Hunting
Because exploit attempts masquerade as legitimate RADIUS authentication requests, they can easily blend with normal traffic. Security operations centers (SOCs) should deploy the following hunts immediately:

  • Monitor RADIUS authentication logs for usernames or passwords containing command injection indicators: semicolons, vertical bars, backticks, dollar signs, and curly braces.
  • Alert on any FMC process spawning unexpected child processes, particularly shells, shortly after a RADIUS authentication event.
  • Watch for modifications to firewall policies, admin accounts, or pushed configuration changes occurring outside normal change windows.
  • Cross-reference RADIUS server logs with FMC audit logs to identify authentication attempts that succeeded at the RADIUS server but are followed by anomalous system activity.
  • Deploy file integrity monitoring on critical FMC binaries and configuration stores.

If enterprise intrusion detection or endpoint detection products release signatures for this CVE, validate them in a lab first to avoid drowning teams in false positives from legitimate RADIUS traffic.

Immediate Mitigations and Workarounds
Cisco’s advisory emphasizes that no software workaround fully eliminates the vulnerability. The most reliable mitigation is to disable RADIUS authentication for FMC management and switch to an unaffected mechanism—local accounts, LDAP, or SAML single sign-on—until patches can be applied. This temporary change must be carefully planned to avoid lockout.

Network-level hardening is equally urgent. Restrict access to FMC management interfaces to a whitelist of authorized administrative IP addresses. Use dedicated management VLANs, jump hosts with multi-factor authentication (MFA), and VPN tunnels for remote administration. Block all other traffic to the management ports with access control lists.

Organizations that cannot immediately patch should also:

  • Shut down RADIUS for web and SSH management.
  • Enable MFA on all administrative access paths.
  • Ship FMC logs to a central SIEM with aggressive alerting on the hunt patterns above.
  • Create and test an incident response playbook for FMC compromise, including steps to isolate the appliance, preserve volatile evidence, and rebuild from a clean image.

Patching Strategy and Operational Caution
Applying patches to a central management console is a delicate operation. Upgrades may require coordinating maintenance windows with stakeholders, testing authentication interoperability, and validating that policy pushes to managed devices continue working. Cisco recommends:

  1. Inventory all FMC instances and record exact software versions.
  2. Identify which instances use RADIUS for web or SSH authentication.
  3. Establish a prioritized rollout: high-risk appliances (internet-exposed or used by MSPs) first.
  4. Test the patch in a staging environment that mirrors the authentication configuration.
  5. Have a rollback plan and verified configuration backups.

If a patch cannot be installed immediately, compensating controls must be in place and the threat hunt tuned to maximum sensitivity.

Incident Response: What If You’re Already Compromised?
Given the severity, organizations should suspect compromise if any of the hunting signals trigger. Treat a positive indicator as a potential full network compromise because the FMC’s privileges are expansive. Recommended steps:

  • Quarantine the appliance by disabling all network interfaces except a dedicated out-of-band console.
  • Capture a forensic image of RAM, process lists, network connections, and all accessible logs before performing any recovery action.
  • Collect and preserve RADIUS server logs, FMC audit trails, and downstream device logs for correlation.
  • Rebuild the FMC from a known-clean disk image rather than attempting to clean an infected system.
  • Rotate all credentials that may have been stored or cached on the appliance, including RADIUS shared secrets, API tokens, and administrator passwords.
  • Conduct a compromised assessment of all managed devices for signs of unauthorized policy changes or backdoor configurations.

Legal and regulatory notification requirements may apply depending on the organization’s sector and the scope of data exposure.

Looking Ahead
Cisco’s perfect 10.0 bug in FMC is a stark reminder that the software managing security infrastructure is itself a prime target. For years, advanced persistent threat groups—particularly those linked to China—have pursued networking and management appliances with relentless focus. The concentration of risk in a single FMC console demands that security programs elevate management-plane security to the same level of rigor as endpoint and server protection.

Enterprises and MSPs must treat this patch as a priority-one emergency, not just a routine update. The window between public disclosure and active exploitation is narrowing with each passing hour. While Cisco’s internal discovery bought the industry precious lead time, nothing substitutes for swift, orchestrated action—patching, hardening, and hunting—before the first shells are dropped on unwitting organizations.