Cisco's Secure Firewall Management Center now not-so secure, springs a CVSS 10 RCE hole
(2025/08/15)
- Reference: 1755279470
- News link: https://www.theregister.co.uk/2025/08/15/cisco_secure_firewall_management_bug/
- Source link:
Cisco has issued a patch for a maximum-severity bug in its Secure Firewall Management Center (FMC) software that could allow an unauthenticated, remote attacker to inject arbitrary shell commands on vulnerable systems.
The vulnerability, tracked as [1]CVE-2025-20265 , received a critical 10.0 CVSS rating. It's caused by improper handling of user input by FMC's RADIUS authentication subsystem during the login process. Exploitation is possible only if FMC is configured to use RADIUS authentication for the web-based management interface, SSH management, or both.
Cisco FMC is a centralized management platform for the vendor's network security products, including firewalls, intrusion prevention systems, URL filtering, and anti-malware tools. It's used by large enterprises, managed service providers (MSPs), government agencies, and educational institutions to manage their networks. RADIUS is an external authentication protocol used to verify users' credentials.
[2]
"An attacker could exploit this vulnerability by sending crafted input when entering credentials that will be authenticated at the configured RADIUS server," Cisco warned in a Thursday security bulletin. "A successful exploit could allow the attacker to execute commands at a high privilege level."
[3]
[4]
Cisco software engineer Brandon Sakai found this bug during internal security testing.
As of now, Cisco isn't aware of any in-the-wild exploitation of this CVE. But it's probably just a matter of time, considering how [5]government-backed attackers — notably [6]those from China — like to target Cisco networking devices. So get patching.
[7]Watch out, another max-severity, make-me-root Cisco bug on the loose
[8]Cisco fixes two critical make-me-root bugs on Identity Services Engine components
[9]More victims of China's Salt Typhoon crew emerge: Telcos just now hit via Cisco bugs
[10]Ransomware crews don't care about your endpoint security – they've already killed it
This new security hole follows a series of perfect 10 out of 10 severity bugs in Cisco products this summer.
In July, [11]Cisco released a patch for a maximum-severity bug tracked as CVE-2025-20337 in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that could allow an unauthenticated, remote attacker to run arbitrary code on the operating system with root-level privileges.
[12]
Cisco disclosed CVE-2025-20337 in an update to a June security advisory about [13]two other max-severity flaws in the same products. Tracked as CVE-2025-20281 and CVE-2025-20282, these also received perfect 10s and affect ISE and ISE-PIC, allowing attackers to execute code on the underlying OS as root. ®
Get our [14]Tech Resources
[1] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-radius-rce-TNBKf79
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aJ-t9NJAbqbT_UXxyh5loAAAAJg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJ-t9NJAbqbT_UXxyh5loAAAAJg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aJ-t9NJAbqbT_UXxyh5loAAAAJg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2024/04/24/spies_cisco_firewall/
[6] https://www.theregister.com/2025/02/13/salt_typhoon_pwned_7_more/
[7] https://www.theregister.com/2025/07/17/critical_cisco_bug/
[8] https://www.theregister.com/2025/06/26/patch_up_cisco_fixes_two/
[9] https://www.theregister.com/2025/02/13/salt_typhoon_pwned_7_more/
[10] https://www.theregister.com/2025/08/14/edr_killers_ransomware/
[11] https://www.theregister.com/2025/07/17/critical_cisco_bug/
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJ-t9NJAbqbT_UXxyh5loAAAAJg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[13] https://www.theregister.com/2025/06/26/patch_up_cisco_fixes_two/
[14] https://whitepapers.theregister.com/
The vulnerability, tracked as [1]CVE-2025-20265 , received a critical 10.0 CVSS rating. It's caused by improper handling of user input by FMC's RADIUS authentication subsystem during the login process. Exploitation is possible only if FMC is configured to use RADIUS authentication for the web-based management interface, SSH management, or both.
Cisco FMC is a centralized management platform for the vendor's network security products, including firewalls, intrusion prevention systems, URL filtering, and anti-malware tools. It's used by large enterprises, managed service providers (MSPs), government agencies, and educational institutions to manage their networks. RADIUS is an external authentication protocol used to verify users' credentials.
[2]
"An attacker could exploit this vulnerability by sending crafted input when entering credentials that will be authenticated at the configured RADIUS server," Cisco warned in a Thursday security bulletin. "A successful exploit could allow the attacker to execute commands at a high privilege level."
[3]
[4]
Cisco software engineer Brandon Sakai found this bug during internal security testing.
As of now, Cisco isn't aware of any in-the-wild exploitation of this CVE. But it's probably just a matter of time, considering how [5]government-backed attackers — notably [6]those from China — like to target Cisco networking devices. So get patching.
[7]Watch out, another max-severity, make-me-root Cisco bug on the loose
[8]Cisco fixes two critical make-me-root bugs on Identity Services Engine components
[9]More victims of China's Salt Typhoon crew emerge: Telcos just now hit via Cisco bugs
[10]Ransomware crews don't care about your endpoint security – they've already killed it
This new security hole follows a series of perfect 10 out of 10 severity bugs in Cisco products this summer.
In July, [11]Cisco released a patch for a maximum-severity bug tracked as CVE-2025-20337 in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that could allow an unauthenticated, remote attacker to run arbitrary code on the operating system with root-level privileges.
[12]
Cisco disclosed CVE-2025-20337 in an update to a June security advisory about [13]two other max-severity flaws in the same products. Tracked as CVE-2025-20281 and CVE-2025-20282, these also received perfect 10s and affect ISE and ISE-PIC, allowing attackers to execute code on the underlying OS as root. ®
Get our [14]Tech Resources
[1] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-radius-rce-TNBKf79
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aJ-t9NJAbqbT_UXxyh5loAAAAJg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJ-t9NJAbqbT_UXxyh5loAAAAJg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aJ-t9NJAbqbT_UXxyh5loAAAAJg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2024/04/24/spies_cisco_firewall/
[6] https://www.theregister.com/2025/02/13/salt_typhoon_pwned_7_more/
[7] https://www.theregister.com/2025/07/17/critical_cisco_bug/
[8] https://www.theregister.com/2025/06/26/patch_up_cisco_fixes_two/
[9] https://www.theregister.com/2025/02/13/salt_typhoon_pwned_7_more/
[10] https://www.theregister.com/2025/08/14/edr_killers_ransomware/
[11] https://www.theregister.com/2025/07/17/critical_cisco_bug/
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJ-t9NJAbqbT_UXxyh5loAAAAJg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[13] https://www.theregister.com/2025/06/26/patch_up_cisco_fixes_two/
[14] https://whitepapers.theregister.com/
I don't get it
sin
Why do people leave management access to security or networking equipment (or servers or anything) open to the world?
Wouldn't a a simple "DROP ALL FROM ALL, ACCEPT ONLY A FEW LAN IPs" (however is that written in Cisco/Fortinet/Mikrotik/enter_your_favourite_vendor language) be enough to stop this and all other "CVEs"?
Re: I don't get it
Anonymous Coward
"Why do people leave management access to security or networking equipment (or servers or anything) open to the world?"
Because they hire cheap people just out of school with degrees as qualifications, over those with experience who would cost a bit more but save them millions long term.
The grey beards know...
Re: I don't get it
may_i
Neither do I. Anyone who exposes management interfaces of any type to the Internet at large should not be let near any network.
There are too many people who should know better getting owned by this type of idiocy every day.
The leaky bucket leaks better than before
VoiceOfTruth
Cisco. Again.
Not specifically looking at Cisco, but thinking about all the "technical debt"
that companies have spent over the decades because they didn't invest in adequate security protocols and quality assurance.
A good explanation - one that even I can understand is at https://en.wikipedia.org/wiki/Technical_debt
Wonder how much companies are willing to spend now to fix these problems. The company CEOs, etc. that made the decisions (or failed because of negligence) have probably already cashed their golden parachutes.