CVE-2025-20265: Cisco Secure Firewall Management Center (FMC) RADIUS Pre-Auth RCE

A critical (CVSS 10.0)  input-handling flaw in the RADIUS authentication subsystem of Cisco Secure Firewall Management Center (FMC), tracked as CVE-2025-20265 allows unauthenticated remote code execution on the FMC when RADIUS is enabled for the web UI and/or SSH. Impacted releases are 7.0.7 and 7.7.0. 

Cisco has shipped fixes, and there are no vendor workarounds beyond disabling RADIUS (use local/LDAP/SAML instead) until patched. 

Key details

• Affected versions: 7.0.7 and 7.7.0
  
• Severity: CVSS 10.0 (Critical)
  
• Precondition: FMC must be configured to use RADIUS (web, SSH, or both).
  
• Fix status: Patches available; no official workarounds
  
• Mitigation option: If you cannot patch immediately, switch FMC authentication away from RADIUS (local, LDAP, or SAML SSO)
  

Why this matters

Compromise of FMC = compromise of your firewall fleet. An attacker with RCE on the management center can:

• Push or alter FTD/ASA policies, disable protections, deploy backdoored configurations, harvest credentials, and pivot across networks (high blast radius).
  
• Manipulate logging/alerting to hide activity and create persistent access via scheduled tasks or policy changes (high integrity and availability impact). (Reasoned impact based on FMC’s role as centralized policy/orchestration plane.)

Exposure checklist (do these now)

1. Inventory: Identify FMC instances and confirm software versions.
   
2. Is RADIUS enabled? On FMC, check System → Users → External Authentication. If RADIUS objects are enabled for FMC access, you are at risk.
   
3. Internet exposure: Verify the FMC management interface (HTTPS/443, SSH/22) is internal-only and IP-allowlisted/VPN-gated.
   
4. Patch eligibility: Use Cisco’s Software Checker to map your version to fixed builds; plan outage windows.
   

Patch & mitigation guidance

• Primary: Upgrade FMC to a fixed release per Cisco’s advisory/software checker. (Cisco notes affected: 7.0.7, 7.7.0.) CiscoArctic Wolf
  
• Interim risk reduction (if patching must be staged):
  
  • Disable RADIUS for FMC access and switch to local/LDAP/SAML until patched. Arctic Wolf
    
  • Restrict management plane: place FMC behind a VPN/jump host, enforce source IP allowlists, and require MFA (where applicable).
    
  • Increase logging: ensure Audit Logs → Syslog streaming is enabled to your SIEM for FMC change tracking. Cisco+1
    
• No vendor workarounds beyond the above control changes. Cisco

Threat outlook

Public reports indicate no PoC or exploitation observed yet, and CVE is not listed in CISA KEV at publish time. 

But given the pre-auth RCE nature and the strategic value of FMC, expect rapid proof-of-concept development and scanning. Prioritize patching before this becomes commonplace in ransomware/APE playbooks.

Need help fast?

OP Innovate’s Incident Response team can validate exposure, apply compensating controls, and verify fixes against attacker tradecraft. If you want us to run a quick FMC hardening review, contact us now.

Stay Safe. Stay Secure.
OP Innovate Research Team