CVE-2025-20265
Published: 14 August 2025
Summary
CVE-2025-20265 is a critical-severity Injection (CWE-74) vulnerability in Cisco Secure Firewall Management Center. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the command injection vulnerability by requiring validation of user inputs during the RADIUS authentication phase to block crafted malicious credentials.
Supports timely application of vendor patches to remediate the specific flaw in the RADIUS subsystem's input handling.
Restricts the types and characteristics of credential inputs to the authentication interfaces, limiting opportunities for command injection payloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE via command injection on public management interface (T1190) enables arbitrary Unix shell command execution (T1059.004).
NVD Description
A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to inject arbitrary shell commands that are executed by the device. This vulnerability is due to a lack of…
more
proper handling of user input during the authentication phase. An attacker could exploit this vulnerability by sending crafted input when entering credentials that will be authenticated at the configured RADIUS server. A successful exploit could allow the attacker to execute commands at a high privilege level. Note: For this vulnerability to be exploited, Cisco Secure FMC Software must be configured for RADIUS authentication for the web-based management interface, SSH management, or both.
Deeper analysisAI
CVE-2025-20265 is a critical command injection vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software. It stems from a lack of proper handling of user input during the authentication phase, enabling an unauthenticated, remote attacker to inject arbitrary shell commands that are executed by the device. The vulnerability affects FMC Software instances configured for RADIUS authentication on the web-based management interface, SSH management, or both, and carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), associated with CWE-74.
An unauthenticated remote attacker can exploit this vulnerability by sending crafted input in the credentials field during authentication attempts against the configured RADIUS server. A successful exploit allows the attacker to execute arbitrary shell commands at a high privilege level on the affected device, potentially leading to full compromise of the FMC Software.
Security advisories, including the official Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-radius-rce-TNBKf79, provide details on mitigation and available patches. Additional coverage from sources like BleepingComputer and The Register outlines the need to apply vendor-recommended updates promptly for affected systems.
Details
- CWE(s)