CVE-2025-9242
published 2025-09-17CVE-2025-9242: An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2025-12-03
Exploited in the wild
EPSS
86.37%
99.7th percentile
An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| watchguard | fireware | — | — |
| watchguard | fireware | >= 11.10.2 < 12.11.4 | 12.11.4 |
| watchguard | fireware | >= 11.10.2 < 12.5.13 | 12.5.13 |
| watchguard | fireware_os | 11.10.2 – 11.12.4+541730 | — |
| watchguard | fireware_os | 12.0 – 12.11.3 | — |
| watchguard | fireware_os | 2025.0 – 2025.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/watchtowrlabs/watchTowr-vs-WatchGuard-CVE-2025-9242/
urlhttps://labs.watchtowr.com/yikes-watchguard-fireware-os-ikev2-out-of-bounds-write-cve-2025-9242
othershodan: html:"Watchguard" html:"Authentication Server"
- →Detect specially crafted IKEv2 packets (UDP/500 or UDP/4500) sent to Firebox appliances from unauthenticated external sources; anomalous IKEv2 SA_INIT or KEY_EXCHANGE payloads with oversized or malformed data fields are indicative of exploitation attempts. ↗
- →WatchGuard has shared indicators of compromise to help customers check whether their Firebox devices have been compromised; consult the vendor advisory and rotate all locally stored secrets if any signs of malicious activity are found. ↗
- →Devices configured with Mobile User VPN with IKEv2 or Branch Office VPN using IKEv2 with a dynamic gateway peer are the primary attack surface; also flag devices where these configs were deleted but a BOVPN to a static gateway peer remains. ↗
- →Use Shodan query 'html:"Watchguard" html:"Authentication Server"' to identify internet-exposed WatchGuard Firebox management interfaces for asset inventory and exposure assessment.
- →The exploit PoC (watchTowr) implements a full IKEv2 handshake with crafted KEY_EXCHANGE payloads using DH Group 14 (2048-bit MODP); monitor for IKEv2 negotiations from unexpected or external initiators, especially those proposing unusual cipher suites or oversized KE data.
- ·Only Firebox appliances configured to use IKEv2 VPN (Mobile User VPN with IKEv2 or Branch Office VPN with IKEv2 dynamic gateway peer) are vulnerable; static-only BOVPN configurations are not directly vulnerable but may still be at risk under certain conditions. ↗
- ·Affected versions are Fireware OS 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.3, and 2025.1; version 11.x is end-of-life and will not receive patches — upgrade to a supported branch. ↗
- ·Fixed versions are 12.3.1_Update3 (B722811), 12.5.13, 12.11.4, and 2025.1.1; organizations unable to patch immediately should disable dynamic peer BOVPNs, add new firewall policies, and disable default system policies handling VPN traffic as a temporary workaround. ↗
- ·The exploit PoC ROP gadget addresses are version-specific (documented for Fireware 12.11.3 only); detection or blocking based on these addresses is not portable across firmware versions.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
WatchGuard Firebox Out-of-Bounds Write Vulnerability
cisa·2025-11-12·CVSS 9.3
CVE-2025-9242 [CRITICAL] CWE-787 WatchGuard Firebox Out-of-Bounds Write Vulnerability
Vulnerability: WatchGuard Firebox Out-of-Bounds Write Vulnerability
Affected: WatchGuard Firebox
WatchGuard Firebox contains an out-of-bounds write vulnerability in the OS iked process that may allow a remote unauthenticated attacker to execute arbitrary code.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015 ; https://nvd.nist.gov/vuln/detail/CVE-2025-9242
Remediation Due Date: 2025-12-03
GHSA
GHSA-g6q4-chqv-724q: An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code
ghsa_unreviewed·2025-09-17
CVE-2025-9242 [CRITICAL] CWE-787 GHSA-g6q4-chqv-724q: An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code
An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.
VulnCheck
WatchGuard Firebox Out-of-Bounds Write Vulnerability
vulncheck·2025·CVSS 9.3
CVE-2025-9242 [CRITICAL] CWE-787 WatchGuard Firebox Out-of-Bounds Write Vulnerability
WatchGuard Firebox Out-of-Bounds Write Vulnerability
WatchGuard Firebox contains an out-of-bounds write vulnerability in the OS iked process that may allow a remote unauthenticated attacker to execute arbitrary code.
Affected: WatchGuard Firebox
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.recordedfuture.com/blog/november-2025-cve-landscape; https://cyble.com/resources/research-reports/global-cybersecurity-report/; https://www.loginsoft.com/reports/annually/vulnerabil
Suricata
ET INFO WatchGuard Fireware OS IKEv2 Unauthenticated Vulnerable Version Disclosure (CVE-2025-9242)
suricata·2025-10-17·CVSS 9.3
CVE-2025-9242 [CRITICAL] ET INFO WatchGuard Fireware OS IKEv2 Unauthenticated Vulnerable Version Disclosure (CVE-2025-9242)
ET INFO WatchGuard Fireware OS IKEv2 Unauthenticated Vulnerable Version Disclosure (CVE-2025-9242)
Rule: alert ike $HOME_NET 500 -> any any (msg:"ET INFO WatchGuard Fireware OS IKEv2 Unauthenticated Vulnerable Version Disclosure (CVE-2025-9242)"; flow:stateless,to_client; content:"|21 20 22 20|"; offset:16; depth:4; content:"|22 00|"; distance:8; within:2; content:"|bf c2 2e 98 56 ba 99 36|"; fast_pattern; base64_decode:offset 24,relative; base64_data; content:"VN|3d|"; pcre:"/^(?!(?:12\.(?:11\.[4-9]|1[3-9]|[2-9]\d+)|11\.1[02]\.[2-9])|2025\.1\x20).+\x20?/R"; reference:url,labs.watchtowr.com/yikes-watchguard-fireware-os-ikev2-out-of-bounds-write-cve-2025-9242/; reference:cve,2025-9242; classtype:misc-attack; sid:2065235; rev:1; metadata:attack_target Networking_Equipment, created_at 2025_1
Nuclei
WatchGuard IKEv2 Out-of-Bounds Write Vulnerability
nuclei·CVSS 9.3
CVE-2025-9242 [CRITICAL] WatchGuard IKEv2 Out-of-Bounds Write Vulnerability
WatchGuard IKEv2 Out-of-Bounds Write Vulnerability
WatchGuard Fireware OS 11.10.2 to 11.12.4_Update1, 12.0 to 12.11.3, and 2025.1 contains an out-of-bounds write caused by improper handling in Mobile User VPN and Branch Office VPN with IKEv2 dynamic gateway peer, letting remote unauthenticated attackers execute arbitrary code.
Template:
id: CVE-2025-9242
info:
name: WatchGuard IKEv2 Out-of-Bounds Write Vulnerability
author: pussycat0x,DhiyaneshDK,watchTowr
severity: critical
description: |
WatchGuard Fireware OS 11.10.2 to 11.12.4_Update1, 12.0 to 12.11.3, and 2025.1 contains an out-of-bounds write caused by improper handling in Mobile User VPN and Branch Office VPN with IKEv2 dynamic gateway peer, letting remote unauthenticated attackers execute arbitrary code.
impact: |
Remote unauth
Bleepingcomputer
Critical RCE flaw impacts over 115,000 WatchGuard firewalls
blogs_bleepingcomputer·2025-12-22·CVSS 9.3
CVE-2025-14733 [CRITICAL] Critical RCE flaw impacts over 115,000 WatchGuard firewalls
## Critical RCE flaw impacts over 115,000 WatchGuard firewalls
## Sergiu Gatlan
Over 115,000 WatchGuard Firebox devices exposed online remain unpatched against a critical remote code execution (RCE) vulnerability actively exploited in attacks.
The security flaw, tracked as CVE-2025-14733 , affects Firebox firewalls running Fireware OS 11.x and later (including 11.12.4_Update1), 12.x or later (including 12.11.5), and 2025.1 up to and including 2025.1.3.
Successful exploitation enables unauthenticated attackers to execute arbitrary code remotely on vulnerable devices, following low-complexity attacks that don't require user interaction.
As WatchGuard explained in a Thursday advisory, when it released CVE-2025-14733 security updates and tagged it as exploited in the wild, unpatched Fireb
Bleepingcomputer
New critical WatchGuard Firebox firewall flaw exploited in attacks
blogs_bleepingcomputer·2025-12-19·CVSS 9.3
CVE-2025-14733 [CRITICAL] New critical WatchGuard Firebox firewall flaw exploited in attacks
## New critical WatchGuard Firebox firewall flaw exploited in attacks
## Sergiu Gatlan
WatchGuard has warned customers to patch a critical, actively exploited remote code execution (RCE) vulnerability in its Firebox firewalls.
Tracked as CVE-2025-14733 , this security flaw affects firewalls running Fireware OS 11.x and later (including 11.12.4_Update1), 12.x or later (including 12.11.5), and 2025.1 up to and including 2025.1.3.
The vulnerability is due to an out-of-bounds write weakness that enables unauthenticated attackers to execute malicious code remotely on unpatched devices, following successful exploitation in low-complexity attacks that don't require user interaction.
While unpatched Firebox firewalls are only vulnerable to attacks if configured to use IKEv2 VPN, WatchGuard no
Bleepingcomputer
CISA warns of WatchGuard firewall flaw exploited in attacks
blogs_bleepingcomputer·2025-11-13·CVSS 9.8
CVE-2025-9242 [CRITICAL] CISA warns of WatchGuard firewall flaw exploited in attacks
## CISA warns of WatchGuard firewall flaw exploited in attacks
## Sergiu Gatlan
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has warned government agencies to patch an actively exploited vulnerability impacting WatchGuard Firebox firewalls.
Remote attackers can use this critical security flaw ( CVE-2025-9242 ) to execute malicious code remotely on vulnerable devices by exploiting an out-of-bounds write weakness in firewalls running Fireware OS 11.x (end of life), 12.x, and 2025.1.
CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and has given Federal Civilian Executive Branch (FCEB) agencies three weeks, until December 3, to secure their systems against ongoing attacks as mandated by the Binding Operational Directive (BOD) 22-01.
Bleepingcomputer
Over 75,000 WatchGuard security devices vulnerable to critical RCE
blogs_bleepingcomputer·2025-10-20·CVSS 9.3
CVE-2025-9242 [CRITICAL] Over 75,000 WatchGuard security devices vulnerable to critical RCE
## Over 75,000 WatchGuard security devices vulnerable to critical RCE
## Bill Toulas
Nearly 76,000 WatchGuard Firebox network security appliances are exposed on the public web and still vulnerable to a critical issue (CVE-2025-9242) that could allow a remote attacker to execute code without authentication.
Firebox devices act as a central defense hub that controls traffic between internal and external networks, providing protection through policy management, security services, VPN, and real-time real-time visibility through WatchGuard Cloud.
Scans from The Shadowserver Foundation currently show that there are 75,835 vulnerable Firebox appliances across the world, most of them in Europe and North America.
Specifically, the United States tops the list with 24,500 endpoints, followed by
Bleepingcomputer
WatchGuard warns of critical vulnerability in Firebox firewalls
blogs_bleepingcomputer·2025-09-18·CVSS 9.3
CVE-2025-9242 [CRITICAL] WatchGuard warns of critical vulnerability in Firebox firewalls
## WatchGuard warns of critical vulnerability in Firebox firewalls
## Sergiu Gatlan
WatchGuard has released security updates to address a remote code execution vulnerability impacting the company's Firebox firewalls.
Tracked as CVE-2025-9242, this critical security flaw is caused by an out-of-bounds write weakness that can allow attackers to execute malicious code remotely on vulnerable devices following successful exploitation.
CVE-2025-9242 affects firewalls running Fireware OS 11.x (end of life), 12.x, and 2025.1, and was fixed in versions 12.3.1_Update3 (B722811), 12.5.13, 12.11.4, and 2025.1.1.
While Firebox firewalls are only vulnerable to attacks if they are configured to use IKEv2 VPN, WatchGuard added that they may still be at risk of compromise, even if the vulnerable config
Recorded Future
November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
blogs_recorded_future·CVSS 5.4
CVE-2025-64446 [MEDIUM] November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
# November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
November 2025 saw a significant 69% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 10 vulnerabilities requiring immediate attention, down from 32 in October.
What security teams need to know:
- Fortinet leads concerns: Two critical FortiWeb vulnerabilities (CVE-2025-64446 and CVE-2025-58034) are under active exploitation
- LANDFALL spyware campaign: Threat actors weaponized Samsung's image processing flaw (CVE-2025-21042) for zero-click Android attacks
- Public exploits proliferate: Seven of ten vulnerabilities have public proof-of-concept code available
- OS Command Injection and Out-of-bounds Write were tied as the most common weakness types
Bottom line: Th
2025-09-17
Published
2025-11-12
Added to CISA KEV
Exploited in the wild