On the 14th of August 2025, Cisco disclosed a critical vulnerability (CVE-2025-20265, CVSS 10.0) in its Secure Firewall Management Center (FMC) Software, specifically when RADIUS authentication is enabled.
The flaw allows unauthenticated remote attackers to inject and execute arbitrary shell commands with elevated privileges. No prior access is needed – making this an extremely serious risk for internet-exposed FMC systems.
What’s going on?
⚠️ This vulnerability resides in the RADIUS authentication subsystem of Cisco Secure FMC. It’s caused by improper input validation during the authentication process.
⚠️ Attackers can exploit the flaw by sending specially crafted credentials to a vulnerable FMC interface (web-based or SSH), leading to remote code execution with elevated privileges.
⚠️ Affected versions & mitigation:
| Product | Affected Versions | Mitigation |
|---|---|---|
| Cisco Secure FMC | 7.0.7 and 7.7.0 (with RADIUS enabled) | Apply the latest patches from Cisco immediately |
You can find Cisco’s official advisory here: Cisco Security Advisory – CVE-2025-20265
Why is this a problem?
The vulnerability enables:
- Remote command execution without authentication
- Privilege escalation on the FMC system
- Lateral movement across the internal network
- Data exfiltration and system compromise
There are no workarounds other than patching or disabling RADIUS authentication, making rapid response essential.
How does ACEN protect its customers?
If you’re using ACEN’s Extended Detection and Response (XDR) solution, it is designed to block many types of exploitation attempts that occur after the initial compromise. This enables our teams to stop threats and launch an investigation.
ACEN’s MDR service also deploys tailored detection scenarios that monitor system logs from Windows, firewalls, Microsoft 365, and other sources to identify and stop threat actors.
In the event of a serious incident, our Computer Security Incident Response Team (CSIRT) is available to provide expert support and guidance.
We continue to emphasize the importance of proactive security measures. Please ensure your systems are updated with the latest patches and configurations.
What can you do to mitigate the attack?
✅ Apply Cisco’s security updates immediately
✅ Disable RADIUS authentication on FMC if patching isn’t feasible right away
✅ Limit access to FMC interfaces through network segmentation and access controls
But what if you can’t?
🛡️ Isolate FMC systems from external access
🛡️ Temporarily disable RADIUS authentication until patched
🛡️ Monitor authentication logs for anomalies and brute-force attempts
