Cisco Secure Firewall Vulnerability Enables Remote Shell Command Injection Exploits by Hackers

Cisco has disclosed a critical security vulnerability in its Secure Firewall Management Center (FMC) Software, which could allow unauthenticated attackers to execute arbitrary shell commands with high-level privileges remotely. The vulnerability, tracked as CVE-2025-20265 and assigned the maximum CVSS score of 10.0, is one of the most severe security flaws identified in enterprise firewall infrastructure this year. This security issue resides in the RADIUS subsystem implementation of Cisco’s Secure FMC Software, specifically affecting the authentication phase where user input is improperly handled. Attackers can exploit this vulnerability by sending specially crafted credentials during the RADIUS authentication process, enabling them to inject malicious shell commands that are executed by the target device. The danger of this vulnerability lies in its requirement for no authentication and its potential for remote exploitation over the network. Insufficient input validation during the credential verification process creates an opportunity for command injection attacks when the system processes authentication requests sent to the configured RADIUS server.

The vulnerability specifically impacts Cisco Secure FMC Software releases 7.0.7 and 7.7.0, but only when RADIUS authentication is enabled for either the web-based management interface, SSH management, or both. Organisations not using RADIUS authentication are not vulnerable to this particular attack vector. Cisco has confirmed that other products in its security portfolio, including Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software, are not affected by this vulnerability. Unlike many security vulnerabilities that offer temporary mitigation strategies, Cisco has stated that no workarounds exist for this flaw. However, organisations can reduce their exposure by switching to alternative authentication methods such as local user accounts, external LDAP authentication, or SAML single sign-on (SSO). This mitigation approach requires organisations to disable RADIUS authentication entirely, which may impact operational workflows and necessitate significant configuration changes. Cisco has released free software updates to address the vulnerability and strongly recommends immediate patching for all affected systems. The company’s Product Security Incident Response Team (PSIRT) has not reported any public exploitation attempts. 

Categories: Security Vulnerability, Cisco Products, Mitigation Strategies 

Tags: Cisco, Security, Vulnerability, Secure Firewall, Management Center, RADIUS, Authentication, Command Injection, CVE-2025-20265, Mitigation