Full Report
The vulnerability, which Cisco said it discovered during internal security testing, could allow unauthenticated attackers to execute high-privilege commands. The post Cisco discloses maximum-severity defect in firewall software appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Remote Unauthenticated Command Injection in Cisco Secure Firewall Management Center (FMC)
## CVE Details
- CVE ID: CVE-2025-20265
- CVSS Score: 10.0 (Critical)
- CWE: Improper Neutralization of Special Elements used in an OS Command (CWE-78, implied by command injection)
## Affected Systems
- Products: Cisco Secure FMC Software (Firewall Management Center Software)
- Versions: 7.0.7 and 7.7.0
- Configurations: Must have RADIUS authentication enabled for the web-based management interface, SSH management, or both.
## Vulnerability Description
This is a critical remote code execution vulnerability discovered internally by Cisco. It stems from improper handling of user input during the authentication phase when RADIUS is configured. An unauthenticated attacker can craft malicious packets (leveraging the RADIUS authentication context) that escape the intended command scope, resulting in the execution of arbitrary operating system commands with high privileges.
## Exploitation
- Status: Not exploited in the wild (as of advisory). PoC likely to become available soon.
- Complexity: Low (Remote, unauthenticated access required, but configuration dependent).
- Attack Vector: Network
## Impact
- Confidentiality: High (Ability to execute high-privilege commands often leads to full system compromise/data access)
- Integrity: High (Ability to execute high-privilege commands)
- Availability: High (Ability to execute high-privilege commands can lead to denial of service or system takedown)
## Remediation
### Patches
- Refer to the Cisco advisory for specific updated release versions incorporating the fix for CVE-2025-20265. Customers are strongly urged to upgrade to the latest update releases.
### Workarounds
- Cisco states there are no official workarounds available. Immediate upgrade is strongly recommended.
## Detection
- Indicators of compromise: Look for unusual processes spawned from the management interface or unexpected network behavior originating from authentication attempts if the vulnerability were exploited.
- Detection methods and tools: Customers should use the Cisco Software Checker tool to confirm exposure status for their specific software releases.
## References
- Vendor advisories: sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-radius-rce-TNBKf79
- Patch Information: sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-radius-rce-TNBKf79 (Check final advisory for linked patch releases)
- Software Checker: sec.cloudapps.cisco.com/security/center/softwarechecker.x