Olemedia/iStock/Getty Images Plus via Getty Images
ZDNET’s key takeaways
- Cisco’s Secure Firewall Management Center security hole is as bad as they get.
- There is no mitigation and no workaround. Patch immediately.
- So far, no confirmed active exploits have been confirmed.
Get more in-depth ZDNET tech coverage: Add us as a preferred Google source on Chrome and Chromium browsers.
Do you use Cisco’s Secure Firewall Management Center (FMC) software? If your company operates a serious network using Cisco products — and with Cisco’s 76%+ market share of high-end networking, chances are that you do — you must patch it. Not over the weekend. Not Monday. Right now.
Also: Microsoft patches more than 100 Windows security flaws – update your PC now
Cisco has just patched a critical command injection vulnerability (CVE-2025-20265) in FMC. How critical is critical? Let’s put it this way: It has a Common Vulnerability Scoring System (CVSS) score of 10.0, which is the highest possible risk rating in vulnerability scoring. Specifically, the flaw affects FMC versions 7.0.7 and 7.7.0 that have been configured for RADIUS authentication on the web-based or SSH management interface.
RADIUS is the de facto standard for network authentication. It’s the most common implementation used to enable 802.1X access control management. In other words, if you use FMC, it’s almost a certainty you’re using RADIUS, which means you’re vulnerable.
The problem is that because the software didn’t sanitize user input in the RADIUS authentication phase, attackers can send crafted credentials that will be executed as high-privileged shell commands. If abused correctly, this can grant anyone full control over the firewall management center.
Also: This infamous people search site is back after leaking 3 billion records – how to remove your data from it ASAP
Adding insult to injury, attackers can exploit the flaw without any prior system access or valid credentials. I repeat: without any prior system access or valid credentials.
This is a security nightmare. Once a hacker has complete control over firewall management, they can do pretty much anything they want to both the firewall and the rest of your network.
The one bit of good news is that Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software are not affected.
Oh, and by the way, Cisco states, “There are no workarounds that address this vulnerability.” You must patch the program. Now.
Cisco reports that there have been no confirmed active exploits in the wild so far. Give it time. The information in the security report is more than enough for a clever hacker to figure out how to exploit this security hole.
So, once more and with feeling, patch it. Patch it now.
Also: Don’t fall for AI-powered disinformation attacks online – here’s how to stay sharp
Cisco customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels. However, given how deep this hole goes, Cisco is also offering the patch for free. In either case, take the following steps:
-
Go to the official Cisco Security Advisory for CVE-2025-20265.
-
Log in with your Cisco account linked to your organization’s support contract.
-
Use the Cisco Software Checker tool or check the Download section of the advisory to identify the specific fixed release for your appliance/version.
-
Download and install the FMC software update for your deployment — patched versions for 7.0.7 and 7.7.0 are provided.
You know what to do now. Get on with it.
