Cisco on Aug. 14 released an update for a critical 10.0 flaw in the RADIUS subsystem of its Cisco Firewall Management Center (FMC) software that could let an unauthenticated, remote attacker inject arbitrary shell commands.The danger posed by the flaw comes from a successful exploit – which has yet to happen – could let an attacker execute commands at a high privilege level.According to the recent Cisco advisory, the bug – CVE-2025-20265 – was caused by a lack of proper handling of user input during the authentication phase. Cisco said an attacker could exploit the flaw by sending crafted input when entering credentials that are authenticated at the configured RADIUS server.Heath Renfrow, co-founder and CISO at Fenix24, said if left unpatched, CVE-2025-20265 poses a critical, immediate risk. Renfrow said because this it’s pre-authentication, remote code execution flaw with a CVSS score of 10.0, an attacker doesn’t need valid credentials or any prior foothold in the network to exploit it.Rendrow explained that If RADIUS authentication gets enabled, an adversary could inject arbitrary shell commands directly into the Secure FMC, potentially leading to full administrative control over the device, disabling security policies, planting persistent backdoors, or pivoting deeper into the network.“The lack of a workaround means patching is the only mitigation,” said Renfrow. “Given that FMC often sits at the heart of network security operations, exploitation could neutralize defenses in high-value environments like government, finance, or healthcare. This should be treated as a ‘patch immediately’ priority, ideally same-day, with verification that RADIUS exposure is minimized until updates are applied.”
Security Operations, Vulnerability Management, Firewalls, Routers, SOC, Patch/Configuration Management, Exposure management
Cisco patches Firewall Management Center bug rated 10.0

Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



