CVE-2025-20265

CRITICAL

Cisco Secure Firewall Management Center - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2025-20265. PoCs published by jordan922, amalpvatayam67, saruman9.

AI-analyzed exploit summary This repository contains a safe Python script that checks Cisco FMC instances for potential vulnerability to CVE-2025-20265 by querying the official FMC REST API for version information. It supports single or multi-target scanning and includes a harmless local PoC marker option.

Description

A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to inject arbitrary shell commands that are executed by the device.  This vulnerability is due to a lack of proper handling of user input during the authentication phase. An attacker could exploit this vulnerability by sending crafted input when entering credentials that will be authenticated at the configured RADIUS server. A successful exploit could allow the attacker to execute commands at a high privilege level. Note: For this vulnerability to be exploited, Cisco Secure FMC Software must be configured for RADIUS authentication for the web-based management interface, SSH management, or both.

Exploits (3)

nomisec SCANNER 4 stars
by jordan922 · poc
https://github.com/jordan922/cve2025-20265

This repository contains a safe Python script that checks Cisco FMC instances for potential vulnerability to CVE-2025-20265 by querying the official FMC REST API for version information. It supports single or multi-target scanning and includes a harmless local PoC marker option.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Cisco Firepower Management Center (FMC)
Auth required
Prerequisites: Valid credentials for the FMC API · Network access to the FMC instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by amalpvatayam67 · poc
https://github.com/amalpvatayam67/day08-CISCO-fmc-sim

This repository contains a working PoC for a simulated Cisco FMC-style management RCE vulnerability (CVE-2025-20265). It includes a minimal HTTP server that intentionally executes commands from crafted JSON input to demonstrate the impact of unsafe input parsing.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Cisco FMC (simulated)
No auth needed
Prerequisites: Docker (for running the simulation) · Network access to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by saruman9 · poc
https://github.com/saruman9/cve_2025_20265

This is a functional Rust-based exploit for CVE-2025-20265, targeting Cisco Secure FMC. It checks for vulnerability by attempting RCE via SSH and HTTP(S) callbacks, confirming execution through a listener on a specified port.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco Secure Firewall Management Center (FMC)
No auth needed
Prerequisites: Network access to the target · Target must be vulnerable to CVE-2025-20265 · Outbound connectivity from the target to the attacker's listener
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 10.0
EPSS 0.1447
EPSS Percentile 96.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-74
Status published
Products (2)
cisco/secure_firewall_management_center 7.0.7
cisco/secure_firewall_management_center 7.7.0
Published Aug 14, 2025
Tracked Since Feb 18, 2026