Critical Remote Code Execution Vulnerability in WatchGuard Fireware OS VPN (CVE-2025-9242)
A critical security vulnerability, tracked as CVE-2025-9242, was discovered in WatchGuard Fireware OS, which powers WatchGuard’s Firebox network security appliances. This flaw is an out-of-bounds write vulnerability in the iked process, specifically within the function 'ike2_ProcessPayload_CERT' in the file 'src/ike/iked/v2/ike2_payload_cert.c'. The vulnerability arises due to a missing length check on the identification buffer, allowing a remote, unauthenticated attacker to trigger a stack-based buffer overflow. Exploitation of this flaw enables arbitrary code execution during the IKE_SA_AUTH phase of the IKEv2 handshake, which is used to establish VPN tunnels. The vulnerability affects both mobile user VPNs and branch office VPNs configured with dynamic gateway peers, making it a significant risk for organizations relying on these features. Fireware OS versions 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3, and 2025.1 are impacted, with fixes released in 2025.1.1, 12.11.4, 12.3.1_Update3 (FIPS-certified), and 12.5.13 for specific models. The 11.x branch has reached end-of-life and is no longer supported. Security researchers, including McCaulay Hudson of watchTowr Labs, highlighted that the vulnerability is particularly attractive to ransomware groups due to its remote, unauthenticated nature and the fact that it targets internet-exposed perimeter appliances. WatchGuard’s Fireware OS is widely deployed, protecting over 250,000 small and midsize enterprises and more than 10 million endpoints globally, amplifying the potential impact of this vulnerability. The flaw was disclosed and patched following responsible disclosure, with WatchGuard issuing an advisory and urging customers to update affected devices immediately. The vulnerability underscores the ongoing risk posed by classic buffer overflow issues, even in modern enterprise-grade security appliances. Researchers were able to reproduce the exploit, demonstrating the ease with which attackers could compromise vulnerable systems. The lack of mainstream exploit mitigations in the affected code path further increases the risk of successful exploitation. Organizations using WatchGuard Fireware OS are advised to review their VPN configurations, apply the latest patches, and consider additional monitoring for signs of exploitation. The incident highlights the importance of timely patch management and the persistent threat posed by memory safety vulnerabilities in critical infrastructure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Researchers publish exploitation details for CVE-2025-9242
Public reporting described how the flaw in the iked process, specifically ike2_ProcessPayload_CERT during the IKE_SA_AUTH phase, could be exploited to obtain a Python shell and then escalate to a full Linux shell on vulnerable devices.
WatchGuard releases patches for supported Fireware OS versions
By the time of public reporting, WatchGuard had issued fixes for supported Fireware OS versions affected by CVE-2025-9242, while end-of-life versions remained unpatched.
watchTowr Labs discloses WatchGuard Fireware OS RCE flaw CVE-2025-9242
watchTowr Labs publicly disclosed CVE-2025-9242, a critical out-of-bounds write in WatchGuard Fireware OS's IKEv2 handling that can allow unauthenticated remote code execution on affected devices.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Researchers Uncover WatchGuard VPN Bug That Could Let Attackers Take Over Devices
thehackernews.com
Open sourceA critical WatchGuard Fireware flaw could allow unauthenticated code execution
securityaffairs.com
Open sourceyIKEs (WatchGuard Fireware OS IKEv2 Out-of-Bounds Write CVE-2025-9242)
labs.watchtowr.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Remote Code Execution Vulnerability in WatchGuard Fireware OS VPN
A critical vulnerability, tracked as CVE-2025-9242, has been discovered in WatchGuard's Fireware OS, affecting a wide range of Firebox network security appliances. This flaw is an out-of-bounds write in the 'iked' process, which is responsible for handling IKEv2 VPN negotiations. The vulnerability allows remote attackers to execute arbitrary code on affected devices without authentication, posing a severe risk to organizations relying on these appliances for network security. The issue specifically impacts devices configured with mobile user VPNs or branch office VPNs using IKEv2 with dynamic gateway peers. Security researchers have demonstrated that attackers can exploit this bug by sending specially crafted IKEv2 packets during the IKE_SA_AUTH phase, triggering a buffer overflow in the ike2_ProcessPayload_CERT function. Once exploited, attackers can gain control of the instruction pointer, establish Python interactive shells over TCP, and escalate to a full Linux shell by remounting filesystems and deploying BusyBox binaries. The vulnerability has been assigned a CVSS score of 9.3, underscoring its critical nature. According to scans by The Shadowserver Foundation, nearly 76,000 Firebox appliances remain exposed and vulnerable on the public internet, with the highest concentrations in the United States, Germany, Italy, the United Kingdom, Canada, and France. Affected Fireware OS versions include 11.10.2 through 11.12.4_Update1, the entire 12.0 series up to 12.11.3, and the 2025.1 release, impacting both older and newer Firebox models. WatchGuard has released patches in versions 12.3.1_Update3, 12.5.13, 12.11.4, and 2025.1.1 to address the vulnerability. Devices running version 11.x are no longer supported and will not receive security updates, prompting the vendor to recommend upgrading to a supported version. For appliances configured only with Branch Office VPNs to static gateway peers, WatchGuard has provided documentation for securing connections as a temporary workaround. The vulnerability transforms trusted security appliances into potential entry points for attackers, threatening the integrity of network defenses. Organizations are urged to assess their Firebox deployments, prioritize patching, and review VPN configurations to mitigate the risk. The widespread exposure of vulnerable devices highlights the urgency of remediation efforts. WatchGuard's disclosure and the subsequent public scanning have brought significant attention to the issue, emphasizing the importance of timely patch management in network security infrastructure. Failure to address this vulnerability could result in unauthorized access, lateral movement, and compromise of sensitive internal networks. The incident serves as a stark reminder of the risks posed by critical flaws in security appliances and the need for continuous monitoring and rapid response.
Jun 29, 2026
WatchGuard Firebox Zero-Day Exploited for Remote Code Execution
A critical zero-day vulnerability, identified as CVE-2025-14733, has been discovered in WatchGuard Firebox firewalls, allowing remote unauthenticated attackers to execute arbitrary code. The flaw, rated with a CVSS score of 9.3, resides in the `iked` process responsible for handling IKEv2 VPN connections, specifically affecting both Mobile User VPN and Branch Office VPN configurations. Attackers can exploit this out-of-bounds write vulnerability by sending specially crafted requests, potentially leading to full device compromise and firewall hijacking. WatchGuard has confirmed active exploitation of this vulnerability in the wild, with threat actors targeting exposed devices. Indicators of compromise include suspicious IP addresses, unusually large certificate payloads in IKE_AUTH requests, long certificate chains, and unexpected crashes of the `iked` process. Administrators are urged to apply the latest security updates immediately and review their logs for signs of compromise. The vulnerability affects Fireware OS versions 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.5, and 2025.1 through 2025.1.3.
Jun 29, 2026
Critical WatchGuard Fireware Vulnerability Actively Exploited
A critical out-of-bounds write vulnerability, tracked as CVE-2025-9242, has been discovered in WatchGuard Fireware OS, affecting versions 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.3, and 2025.1. This flaw allows remote, unauthenticated attackers to execute arbitrary code on vulnerable Firebox firewall devices by exploiting a missing length check during the IKE handshake process. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog following evidence of active exploitation, and has mandated that Federal Civilian Executive Branch (FCEB) agencies apply patches by December 3, 2025. As of mid-November, over 54,000 Firebox devices remain exposed globally, with the highest concentrations in the U.S., Italy, the U.K., Germany, and Canada. WatchGuard released patches for the vulnerability on September 17, 2025, but only confirmed active exploitation in late October. CISA has emphasized the significant risk posed by this flaw, urging all organizations—not just federal agencies—to prioritize patching due to the attractiveness of firewall devices as targets for threat actors. The vulnerability's exploitation path allows attackers to bypass authentication, as the vulnerable code is executed before certificate validation. Organizations unable to apply mitigations are advised to discontinue use of affected products to prevent compromise.
Jun 29, 2026