Critical Remote Code Execution Vulnerability in WatchGuard Fireware OS VPN
A critical vulnerability, tracked as CVE-2025-9242, has been discovered in WatchGuard's Fireware OS, affecting a wide range of Firebox network security appliances. This flaw is an out-of-bounds write in the 'iked' process, which is responsible for handling IKEv2 VPN negotiations. The vulnerability allows remote attackers to execute arbitrary code on affected devices without authentication, posing a severe risk to organizations relying on these appliances for network security. The issue specifically impacts devices configured with mobile user VPNs or branch office VPNs using IKEv2 with dynamic gateway peers. Security researchers have demonstrated that attackers can exploit this bug by sending specially crafted IKEv2 packets during the IKE_SA_AUTH phase, triggering a buffer overflow in the ike2_ProcessPayload_CERT function. Once exploited, attackers can gain control of the instruction pointer, establish Python interactive shells over TCP, and escalate to a full Linux shell by remounting filesystems and deploying BusyBox binaries. The vulnerability has been assigned a CVSS score of 9.3, underscoring its critical nature. According to scans by The Shadowserver Foundation, nearly 76,000 Firebox appliances remain exposed and vulnerable on the public internet, with the highest concentrations in the United States, Germany, Italy, the United Kingdom, Canada, and France. Affected Fireware OS versions include 11.10.2 through 11.12.4_Update1, the entire 12.0 series up to 12.11.3, and the 2025.1 release, impacting both older and newer Firebox models. WatchGuard has released patches in versions 12.3.1_Update3, 12.5.13, 12.11.4, and 2025.1.1 to address the vulnerability. Devices running version 11.x are no longer supported and will not receive security updates, prompting the vendor to recommend upgrading to a supported version. For appliances configured only with Branch Office VPNs to static gateway peers, WatchGuard has provided documentation for securing connections as a temporary workaround. The vulnerability transforms trusted security appliances into potential entry points for attackers, threatening the integrity of network defenses. Organizations are urged to assess their Firebox deployments, prioritize patching, and review VPN configurations to mitigate the risk. The widespread exposure of vulnerable devices highlights the urgency of remediation efforts. WatchGuard's disclosure and the subsequent public scanning have brought significant attention to the issue, emphasizing the importance of timely patch management in network security infrastructure. Failure to address this vulnerability could result in unauthorized access, lateral movement, and compromise of sensitive internal networks. The incident serves as a stark reminder of the risks posed by critical flaws in security appliances and the need for continuous monitoring and rapid response.
Timeline
Oct 21, 2025
More than 75,000 vulnerable Firebox appliances remain exposed a month later
On October 21, 2025, reporting indicated that over 75,000 internet-exposed WatchGuard Firebox devices were still vulnerable more than a month after patches became available. The affected systems were especially concentrated in the U.S., Germany, Italy, the U.K., Canada, and France, underscoring slow patch adoption.
Oct 20, 2025
Shadowserver finds nearly 76,000 internet-exposed vulnerable Firebox devices
By October 20, 2025, Shadowserver Foundation scans showed that almost 76,000 WatchGuard Firebox appliances remained exposed on the public internet and vulnerable to CVE-2025-9242. Reports said the largest concentrations were in the United States and Europe and noted no active exploitation had been reported at that time.
Sep 17, 2025
WatchGuard discloses CVE-2025-9242 and releases patches
On September 17, 2025, WatchGuard disclosed the critical Firebox vulnerability CVE-2025-9242, an out-of-bounds write in the Fireware OS 'iked' process that can enable unauthenticated remote code execution via crafted IKEv2 packets. The company released patched Fireware versions, advised temporary workarounds for some VPN configurations, and said unsupported 11.x devices must be upgraded because they will not receive fixes.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
Related Stories
Critical Remote Code Execution Vulnerability in WatchGuard Fireware OS VPN (CVE-2025-9242)
A critical security vulnerability, tracked as CVE-2025-9242, was discovered in WatchGuard Fireware OS, which powers WatchGuard’s Firebox network security appliances. This flaw is an out-of-bounds write vulnerability in the iked process, specifically within the function 'ike2_ProcessPayload_CERT' in the file 'src/ike/iked/v2/ike2_payload_cert.c'. The vulnerability arises due to a missing length check on the identification buffer, allowing a remote, unauthenticated attacker to trigger a stack-based buffer overflow. Exploitation of this flaw enables arbitrary code execution during the IKE_SA_AUTH phase of the IKEv2 handshake, which is used to establish VPN tunnels. The vulnerability affects both mobile user VPNs and branch office VPNs configured with dynamic gateway peers, making it a significant risk for organizations relying on these features. Fireware OS versions 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3, and 2025.1 are impacted, with fixes released in 2025.1.1, 12.11.4, 12.3.1_Update3 (FIPS-certified), and 12.5.13 for specific models. The 11.x branch has reached end-of-life and is no longer supported. Security researchers, including McCaulay Hudson of watchTowr Labs, highlighted that the vulnerability is particularly attractive to ransomware groups due to its remote, unauthenticated nature and the fact that it targets internet-exposed perimeter appliances. WatchGuard’s Fireware OS is widely deployed, protecting over 250,000 small and midsize enterprises and more than 10 million endpoints globally, amplifying the potential impact of this vulnerability. The flaw was disclosed and patched following responsible disclosure, with WatchGuard issuing an advisory and urging customers to update affected devices immediately. The vulnerability underscores the ongoing risk posed by classic buffer overflow issues, even in modern enterprise-grade security appliances. Researchers were able to reproduce the exploit, demonstrating the ease with which attackers could compromise vulnerable systems. The lack of mainstream exploit mitigations in the affected code path further increases the risk of successful exploitation. Organizations using WatchGuard Fireware OS are advised to review their VPN configurations, apply the latest patches, and consider additional monitoring for signs of exploitation. The incident highlights the importance of timely patch management and the persistent threat posed by memory safety vulnerabilities in critical infrastructure.
1 months ago
WatchGuard Firebox Zero-Day Exploited for Remote Code Execution
A critical zero-day vulnerability, identified as CVE-2025-14733, has been discovered in WatchGuard Firebox firewalls, allowing remote unauthenticated attackers to execute arbitrary code. The flaw, rated with a CVSS score of 9.3, resides in the `iked` process responsible for handling IKEv2 VPN connections, specifically affecting both Mobile User VPN and Branch Office VPN configurations. Attackers can exploit this out-of-bounds write vulnerability by sending specially crafted requests, potentially leading to full device compromise and firewall hijacking. WatchGuard has confirmed active exploitation of this vulnerability in the wild, with threat actors targeting exposed devices. Indicators of compromise include suspicious IP addresses, unusually large certificate payloads in IKE_AUTH requests, long certificate chains, and unexpected crashes of the `iked` process. Administrators are urged to apply the latest security updates immediately and review their logs for signs of compromise. The vulnerability affects Fireware OS versions 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.5, and 2025.1 through 2025.1.3.
1 months ago
Active Exploitation of Critical WatchGuard Firebox Vulnerabilities
WatchGuard has confirmed that its Firebox firewall devices are being actively targeted due to a critical remote code execution vulnerability, CVE-2025-32978, which allows unauthenticated attackers to execute arbitrary commands remotely. The flaw resides in the Fireware OS Internet Key Exchange (IKE) service and can be exploited if the device is accessible over the internet, potentially giving attackers full control of the firewall. WatchGuard has released emergency patches and indicators of compromise, urging customers to update their firmware immediately or apply temporary workarounds if patching is not possible. The vulnerability affects configurations involving mobile user VPN with IKEv2 and branch office VPNs using IKEv2, even if some configurations have been deleted but others remain. In response to evidence of active exploitation, CISA has added a WatchGuard Firebox vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, highlighting the significant risk such flaws pose to federal and enterprise networks. CISA's directive requires federal agencies to remediate these vulnerabilities by a set deadline and strongly encourages all organizations to prioritize patching to reduce exposure to cyberattacks. The inclusion in the KEV Catalog underscores the urgency for organizations to address these vulnerabilities as part of their ongoing vulnerability management practices.
1 months ago