WatchGuard Patched Critical Vulnerability, Allowing RCE in Firebox Appliances
Security Advisory : A critical vulnerability has been found in WatchGuard Firebox appliances that allows remote unauthenticated attackers to execute arbitrary code through an out-of-bounds write in the IKEv2 VPN process.
| OEM | WatchGuard |
| Severity | Critical |
| CVSS Score | 9.3 |
| CVEs | CVE-2025-9242 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
The vulnerability, tracked as CVE-2025-9242, which affects multiple Fireware OS versions. Users and administrators are strongly advised to upgrade to the latest patched versions of Fireware OS immediately to stay protected.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Out-of-Bounds Write Vulnerability in IKEv2 Process | CVE-2025-9242 | WatchGuard Firebox Appliances with Fireware OS | Critical | v2025.1.1, v12.11.4, v12.5.13 (T15 & T35 models), 12.3.1_Update3 (FIPS-certified) |
Technical Summary
Malicious actors could exploit this due to an out-of-bounds write vulnerability in the WatchGuard Fireware OS iked process.
Remote unauthenticated attackers can send crafted IKE_SA_INIT and IKE_SA_AUTH packets to trigger a stack-based buffer overflow in the ike2_ProcessPayload_CERT function, overflowing a 520-byte stack buffer without proper bounds checking.
This impacts VPN setups using IKEv2 or dynamic gateways and can continue even after deleting them if any static peers are still active on UDP port 500.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025- 9242 | WatchGuard Firebox Appliances with Fireware OS 11.10.2-11.12.4_Update1, 12.0-12.11.3, 2025.1 | Insufficient bounds checking in IKEv2 negotiations allows oversized identification payloads to cause buffer overflow, enabling control flow hijacking and ROP chains for code execution | Arbitrary Code Execution, System Compromise, Data Exfiltration, Ransomware Deployment, Pivoting to Internal Networks |
Recommendations:
You can update to the latest versions from the below table
| Vulnerable Version | Resolved Version |
| 2025.1 | 2025.1.1 |
| 12.x | 12.11.4 |
| 12.5.x (T15 & T35 models) | 12.5.13 |
| 12.3.1 (FIPS-certified release) | 12.3.1_Update3 (B722811) |
| 11.x | End of Life |
Here are some recommendations below –
- Disable unnecessary IKEv2 VPN configurations and restrict access to trusted networks only.
- Monitor logs for anomalous traffic.
- Implement network segmentation to limit lateral movement and regularly audit VPN setups.
Conclusion:
This critical vulnerability in WatchGuard Firebox appliances could allow remote attackers to achieve code execution and compromise perimeter defenses.
Although no exploits are in the wild but its unauthenticated nature and detailed public analysis make it a significant security risk requiring immediate action. Upgrading to the fixed version and applying recommended mitigations are strongly advised to ensure organizational security.
References:
Recent Comments