Cisco’s Fire-fighting Console Has a Howler: Patch Your FMC, Pronto
Cisco has patched a critical (CVSS 10.0) flaw in Secure Firewall Management Center (FMC) that sits in its RADIUS authentication code. An unauthenticated attacker can inject commands during login and achieve remote code execution—but only if RADIUS is enabled for the FMC web UI or SSH. Cisco has shipped fixes and urges customers to update immediately; if you can’t patch at once, temporarily disable RADIUS and use local/LDAP for admin logins while you lock down access. Affected trains include 7.0.7 and 7.7.0. There’s no evidence of exploitation disclosed at publication, but the risk is severe given FMC’s central role managing firewalls.
If your network’s crown jewels are guarded by Cisco’s Secure Firewall Management Center (FMC), it’s time for a quick brew and an urgent patch. A CVSS 10.0 bug in FMC’s RADIUS login path lets a remote attacker run commands without logging in—provided you’ve turned on RADIUS for the web interface or SSH. It’s the software equivalent of leaving the keys under the doormat and putting a sign up saying “Try here”. What’s actually wrong?
In short: command injection during the authentication phase. Crafty input in the RADIUS flow can be interpreted as shell instructions, giving the attacker high-privilege execution on your management box. Because FMC controls your firewalls, that’s… not ideal.
Who’s affected?
Cisco flags FMC 7.0.7 and 7.7.0 when RADIUS auth is enabled on the web UI or SSH. If you don’t use RADIUS there, you’re not directly exposed—but you should still update.
What to do today
1. Patch now to the fixed FMC images.
2. If patching must wait, disable RADIUS for FMC logins and use local/LDAP temporarily.
3. Restrict management access (IP allow-lists/VPN only), crank up logging, and keep an eye on admin events.
Why this matters
FMC is the brain of your Cisco firewalls; compromise here can cascade to policy changes, log tampering and network mayhem. Treat this like a fire drill, not a rainy-day job.