cbcvebase.
CVE-2025-9242
published 2025-09-17

CVE-2025-9242: An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2025-12-03
Exploited in the wild
EPSS
86.37%
99.7th percentile
An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.

Affected

6 ranges
VendorProductVersion rangeFixed in
watchguardfireware
watchguardfireware>= 11.10.2 < 12.11.412.11.4
watchguardfireware>= 11.10.2 < 12.5.1312.5.13
watchguardfireware_os11.10.2 – 11.12.4+541730
watchguardfireware_os12.0 – 12.11.3
watchguardfireware_os2025.0 – 2025.1

Detection & IOCsextracted from sources · hover to see the quote

port500/udp (IKEv2)
urlhttps://github.com/watchtowrlabs/watchTowr-vs-WatchGuard-CVE-2025-9242/
urlhttps://labs.watchtowr.com/yikes-watchguard-fireware-os-ikev2-out-of-bounds-write-cve-2025-9242
othershodan: html:"Watchguard" html:"Authentication Server"
  • Detect specially crafted IKEv2 packets (UDP/500 or UDP/4500) sent to Firebox appliances from unauthenticated external sources; anomalous IKEv2 SA_INIT or KEY_EXCHANGE payloads with oversized or malformed data fields are indicative of exploitation attempts.
  • WatchGuard has shared indicators of compromise to help customers check whether their Firebox devices have been compromised; consult the vendor advisory and rotate all locally stored secrets if any signs of malicious activity are found.
  • Devices configured with Mobile User VPN with IKEv2 or Branch Office VPN using IKEv2 with a dynamic gateway peer are the primary attack surface; also flag devices where these configs were deleted but a BOVPN to a static gateway peer remains.
  • Use Shodan query 'html:"Watchguard" html:"Authentication Server"' to identify internet-exposed WatchGuard Firebox management interfaces for asset inventory and exposure assessment.
  • The exploit PoC (watchTowr) implements a full IKEv2 handshake with crafted KEY_EXCHANGE payloads using DH Group 14 (2048-bit MODP); monitor for IKEv2 negotiations from unexpected or external initiators, especially those proposing unusual cipher suites or oversized KE data.
  • ·Only Firebox appliances configured to use IKEv2 VPN (Mobile User VPN with IKEv2 or Branch Office VPN with IKEv2 dynamic gateway peer) are vulnerable; static-only BOVPN configurations are not directly vulnerable but may still be at risk under certain conditions.
  • ·Affected versions are Fireware OS 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.3, and 2025.1; version 11.x is end-of-life and will not receive patches — upgrade to a supported branch.
  • ·Fixed versions are 12.3.1_Update3 (B722811), 12.5.13, 12.11.4, and 2025.1.1; organizations unable to patch immediately should disable dynamic peer BOVPNs, add new firewall policies, and disable default system policies handling VPN traffic as a temporary workaround.
  • ·The exploit PoC ROP gadget addresses are version-specific (documented for Fireware 12.11.3 only); detection or blocking based on these addresses is not portable across firmware versions.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.