Cisco warns of a CVSS 10.0 flaw in Firewall Management Center—unauth RCE via RADIUS. Patch or disable now to stop attackers seizing control.

Continue reading
A maximum-severity remote code execution bug in Cisco Secure Firewall Management Center (FMC) lets unauthenticated attackers run shell commands with elevated privileges if RADIUS authentication is enabled for FMC’s web UI or SSH. Patches are available; if you can’t patch immediately, disable RADIUS on FMC and use an alternative authentication method. Cisco says it hasn’t seen exploitation yet.
Cisco disclosed CVE-2025-20265 (CVSS 10.0) in FMC’s RADIUS subsystem. An attacker can send crafted credentials during authentication and get arbitrary command execution on the management appliance with high privilege. No prior auth is needed, but FMC must be configured to use RADIUS for the web console, SSH, or both.
Why this is special: FMC is the central brain for Secure Firewall deployments—policy, logging, upgrades, everything. Compromise here can cascade into rule tampering, defense blind spots, or lateral movement into the rest of the network.
Cisco also bundled this disclosure into its August 14, 2025 Secure Firewall advisory rollup (29 vulns across ASA/FTD/FMC). That event page confirms the CVSS 10.0 rating for CVE-2025-20265 and the multi-product patch drop.
Now (0–24 hours)
Next (24–72 hours) 5\) Hunt & monitor:
Sustain (this week) 7\) Post-patch validation: Confirm FMC build numbers and that RADIUS remains disabled (if used as mitigation) until you can re-enable safely. 8\) Management-plane hygiene: Segment FMC, require MFA, and log every admin action to a remote SIEM.
Alongside CVE-2025-20265, Cisco shipped fixes for multiple high-severity issues affecting ASA/FTD/FMC (largely denial-of-service and management-interface bugs). Highlights include Snort 3 DoS (CVE-2025-20217), IPv6 over IPsec DoS (CVE-2025-20222), Remote Access VPN DoS (CVE-2025-20244), IKEv2 DoS set (CVE-2025-20224/-20225), and more. Cisco notes no workarounds for most of these—except for CVE-2025-20127, where removing a TLS 1.3 cipher is advised. Patch priority should consider your features in use and exposure of web/VPN endpoints.
A non-exhaustive list from Cisco’s and community summaries: CVE-2025-20217, -20222, -20148, -20244, -20133/-20243, -20134, -20136, -20251, -20224/-20225, -20263, -20127 (TLS 1.3), among others in the August bundle. Review Cisco’s matrix to determine which of your exact devices run on it.

A publicly accessible registration portal, a misconfigured Entra tenant, and no server-side authorization checks. That was enough to reach the systems controlling live World Cup streams