Cisco August patches include maximum severity flaw in FMC

On August 14, 2025, Cisco released security advisories addressing multiple vulnerabilities, including one in its Secure Firewall Management Center (FMC) software rated with a maximum CVSS score of 10.0. 

The flaw, tracked as CVE-2025-20265, affects FMC deployments running versions 7.0.7 or 7.7.0 with RADIUS authentication enabled for the web-based management interface and/or SSH management. It could allow unauthenticated remote execution of malicious code on the firewall management system.  

The issue exists due to improper input handling during the authentication phase: threat actors could exploit this by sending crafted input when entering credentials that would be authenticated at the configured RADIUS server.  

Cisco confirmed that there are no workarounds, and mitigation requires applying the provided patches. 

In addition to CVE-2025-20265, Cisco addressed several other high-severity vulnerabilities in its August 2025 advisory. These include denial-of-service issues in Snort 3 (CVE-2025-20217), IPv6 over IPsec (CVE-2025-20222), and SSL VPN components (CVE-2025-20134), among others. 

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

This vulnerability poses a direct threat to the integrity of firewall management infrastructure. FMC is often the central control point for policy enforcement, logging, and threat response across distributed networks. Its compromise could allow threat actors to disable protections, manipulate traffic rules, or pivot into other systems. 

Organizations should prioritize patching any FMC deployments running versions 7.0.7 or 7.7.0 with RADIUS authentication enabled. Given the CVSS 10.0 rating, this flaw is likely to attract attention from threat actors, and proof-of-concept code or scanning activity may emerge soon. 

Beyond patching, we recommend reviewing the RADIUS configurations across all managed environments. This includes verifying that only trusted RADIUS servers are in use, ensuring encrypted communication channels, and limiting access to management interfaces. If RADIUS is not required, disabling it temporarily may reduce exposure while patching is underway.