Cisco has issued a patch for a maximum-severity bug in its Secure Firewall Management Center (FMC) software that could allow an unauthenticated, remote attacker to inject arbitrary shell commands on vulnerable systems.

The vulnerability, tracked as CVE-2025-20265 , received a critical 10.0 CVSS rating. It's caused by improper handling of user input by FMC's RADIUS authentication subsystem during the login process. Exploitation is possible only if FMC is configured to use RADIUS authentication for the web-based management interface, SSH management, or both.

Cisco FMC is a centralized management platform for the vendor's network security products, including firewalls, intrusion prevention systems, URL filtering, and anti-malware tools. It's used by large enterprises, managed service provid

See Full Page