Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CVE-2025-20265: RCE Flaw in Cisco Secure Firewall FMC RADIUS Authentication
Aug 18, 2025
4 Mins Read
Moon

CVE-2025-20265: RCE Flaw in Cisco Secure Firewall FMC RADIUS Authentication

Cisco has disclosed a critical vulnerability affecting Secure Firewall Management Center Software, along with 28 additional flaws across its firewall product range. Published on August 14 in a series of security advisories, the findings include issues that expose organizations to risks like Denial-of-Service (DoS) attacks, authentication weaknesses, and failures in data and session handling across different services.

In this blog, we examine the critical CVE-2025-20265, summarize key high-impact vulnerabilities, and provide guidance on mitigation steps.

What Is CVE-2025-20265?

CVE-2025-20265 is a critical vulnerability affecting Cisco Secure Firewall Management Center (FMC) Software. Scoring 10.0 on the CVSS scale, this flaw allows unauthenticated remote attackers to execute arbitrary commands on targeted systems.

The root of the issue lies in the software’s RADIUS subsystem, where insufficient input validation during the authentication process opens a dangerous avenue. An attacker can exploit this gap by submitting maliciously crafted credentials to the FMC’s RADIUS-enabled interface. If successful, they gain shell-level access, potentially with elevated privileges.

CVE-2025-20265 (SOCRadar Vulnerability Intelligence)

CVE-2025-20265 (SOCRadar Vulnerability Intelligence)

Cisco has stated that this vulnerability was discovered during internal security testing. At the time of writing, the Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious exploitation attempts.

Who Is at Risk?

Only two specific software versions are impacted:

  • Cisco Secure FMC Software versions 7.0.7 and 7.7.0
  • Only if RADIUS authentication is enabled (via web or SSH)

Notably, other Cisco firewall platforms (including ASA and FTD) are not affected.

No Workarounds, But There’s a Path to Mitigation

Cisco has not provided a workaround for this vulnerability. However, there is a strong mitigation option: disable RADIUS authentication and switch to safer alternatives like:

  • Local user accounts
  • LDAP authentication
  • SAML-based Single Sign-On (SSO)

Administrators should evaluate the feasibility of this change in their environments, as switching authentication methods may affect workflow or integration with other services.

Other High-Impact Cisco Vulnerabilities Revealed

While CVE-2025-20265 deserves urgent attention, Cisco’s latest advisories also address 17 high-severity vulnerabilities, primarily affecting ASA, FMC, and FTD systems. These include:

  • Snort 3 DoS (CVE-2025-20217) – Targeting Cisco Secure Firewall Threat Defense.
  • IPv6 over IPsec DoS (CVE-2025-20222) – Affecting Firepower 2100 series devices.
  • HTML Injection in FMC (CVE-2025-20148) – Could allow script injection.
  • Remote Access SSL VPN DoS (CVE-2025-20133, CVE-2025-20243) – Threatens VPN availability.
  • SSL/TLS Certificate DoS (CVE-2025-20134) – Could disrupt secure connections.
  • NAT DNS Inspection DoS (CVE-2025-20136) – Impacts DNS traffic handling.
  • Remote Access VPN Web Server DoS (CVE-2025-20244) – Could crash VPN service.
  • VPN Web Server DoS (CVE-2025-20251) – Could make portals unresponsive.
  • Web Services DoS (CVE-2025-20263) – Affects ASA and FTD.
  • TLS 1.3 Cipher DoS (CVE-2025-20127) – Impacting Firepower 3100/4200 series.
  • IKEv2 DoS Cluster (CVE-2025-20224, CVE-2025-20225, CVE-2025-20239, CVE-2025-20252, CVE-2025-20253, CVE-2025-20254) – Exhausts system resources across IOS, IOS XE, ASA, and FTD.

Cisco has not observed any of these vulnerabilities being actively exploited. However, given their scope and potential impact, administrators should prioritize timely patching.

Mitigation and Patch Guidance

Admins should conduct a full inventory of exposed systems and prioritize based on exposure and potential service disruption.

For CVE-2025-20265:

  • Apply Cisco’s software updates for affected FMC versions immediately.
  • If patching isn’t feasible, disable RADIUS authentication and opt for supported alternatives (LDAP, SAML, or local accounts). Visit the advisory for CVE-2025-20265 here.

For other vulnerabilities:

  • Check Cisco’s security advisories page for the full list of CVEs, with details on affected versions and available patches.

Managing vulnerabilities across complex environments can be overwhelming, especially when multiple flaws appear at once. It’s not just about patching; it’s about knowing which issues matter most and where your exposure lies.

SOCRadar’s ASM module, Company Vulnerabilities

SOCRadar’s ASM module, Company Vulnerabilities

SOCRadar’s Attack Surface Management (ASM) uncovers hidden assets, outdated systems, and risky misconfigurations, while the Cyber Threat Intelligence module delivers real-time insight into the latest CVEs, exploit chatter, and attacker activity. Together, they help you prioritize what to fix first, close gaps faster, and stay ahead of active threats.

Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
Jun 03, 2026
SOCRadar® Cyber Intelligence Inc. | Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
May 29, 2026
SOCRadar® Cyber Intelligence Inc. | April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
May 29, 2026
SOCRadar® Cyber Intelligence Inc. | TrapDoor: Malicious npm, PyPI, Crates.io Packages Target Developer Secrets & AI Tooling
TrapDoor: Malicious npm, PyPI, Crates.io Packages Target Developer Secrets & AI Tooling
May 25, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20223: Cisco Secure Workload Auth Bypass Grants Site Admin Access
CVE-2026-20223: Cisco Secure Workload Auth Bypass Grants Site Admin Access
May 22, 2026
Free Dark Web Report
Is your Domain Exposed? Find Out.