Cisco has launched security updates to handle a maximum-severity security flaw in Safe Firewall Administration Middle (FMC) Software program that would permit an attacker to execute arbitrary code on affected techniques.
The vulnerability, assigned the CVE identifier CVE-2025-20265 (CVSS rating: 10.0), impacts the RADIUS subsystem implementation that would allow an unauthenticated, distant attacker to inject arbitrary shell instructions which can be executed by the machine.
The networking tools main stated the problem stems from an absence of correct dealing with of consumer enter throughout the authentication part, because of which an attacker might ship specifically crafted enter when getting into credentials that get authenticated on the configured RADIUS server.
“A profitable exploit might permit the attacker to execute instructions at a excessive privilege stage,” the corporate stated in a Thursday advisory. “For this vulnerability to be exploited, Cisco Safe FMC Software program should be configured for RADIUS authentication for the web-based administration interface, SSH administration, or each.”
The shortcoming impacts Cisco Safe FMC Software program releases 7.0.7 and seven.7.0 if they’ve RADIUS authentication enabled. There aren’t any workarounds apart from making use of the patches supplied by the corporate. Brandon Sakai of Cisco has been credited with discovering the problem throughout inside security testing.
Moreover CVE-2025-20265, Cisco has additionally resolved numerous high-severity bugs –
- CVE-2025-20217 (CVSS rating: 8.6) – Cisco Safe Firewall Menace Protection Software program Snort 3 Denial-of-Service Vulnerability
- CVE-2025-20222 (CVSS rating: 8.6) – Cisco Safe Firewall Adaptive Safety Equipment and Safe Firewall Menace Protection Software program for Firepower 2100 Collection IPv6 over IPsec Denial-of-Service Vulnerability
- CVE-2025-20224, CVE-2025-20225, CVE-2025-20239 (CVSS scores: 8.6) – Cisco IOS, IOS XE, Safe Firewall Adaptive Safety Equipment, and Safe Firewall Menace Protection Software program IKEv2 Denial-of-Service Vulnerabilities
- CVE-2025-20133, CVE-2025-20243 (CVSS scores: 8.6) – Cisco Safe Firewall Adaptive Safety Equipment and Safe Firewall Menace Protection Software program Distant Entry SSL VPN Denial-of-Service Vulnerabilities
- CVE-2025-20134 (CVSS rating: 8.6) – Cisco Safe Firewall Adaptive Safety Equipment and Safe Firewall Menace Protection Software program SSL/TLS Certificates Denial-of-Service Vulnerability
- CVE-2025-20136 (CVSS rating: 8.6) – Cisco Safe Firewall Adaptive Safety Equipment and Safe Firewall Menace Protection Software program Community Tackle Translation DNS Inspection Denial-of-Service Vulnerability
- CVE-2025-20263 (CVSS rating: 8.6) – Cisco Safe Firewall Adaptive Safety Equipment and Safe Firewall Menace Protection Software program Internet Companies Denial-of-Service Vulnerability
- CVE-2025-20148 (CVSS rating: 8.5) – Cisco Safe Firewall Administration Middle Software program HTML Injection Vulnerability
- CVE-2025-20251 (CVSS rating: 8.5) – Cisco Safe Firewall Adaptive Safety Equipment and Safe Firewall Menace Protection Software program VPN Internet Server Denial-of-Service Vulnerability
- CVE-2025-20127 (CVSS rating: 7.7) – Cisco Safe Firewall Adaptive Safety Equipment and Safe Firewall Menace Protection Software program for Firepower 3100 and 4200 Collection TLS 1.3 Cipher Denial-of-Service Vulnerability
- CVE-2025-20244 (CVSS rating: 7.7) – Cisco Safe Firewall Adaptive Safety Equipment and Safe Firewall Menace Protection Software program Distant Entry VPN Internet Server Denial-of-Service Vulnerability
Whereas not one of the flaws have come below energetic exploitation within the wild, with community home equipment repeatedly getting caught within the attackers’ crosshairs, it is important that customers transfer shortly to replace their cases to the most recent model.
