Critical Remote Code Execution Vulnerability in WatchGuard Fireware OS VPN
A critical vulnerability, tracked as CVE-2025-9242, has been discovered in WatchGuard's Fireware OS, affecting a wide range of Firebox network security appliances. This flaw is an out-of-bounds write in the 'iked' process, which is responsible for handling IKEv2 VPN negotiations. The vulnerability allows remote attackers to execute arbitrary code on affected devices without authentication, posing a severe risk to organizations relying on these appliances for network security. The issue specifically impacts devices configured with mobile user VPNs or branch office VPNs using IKEv2 with dynamic gateway peers. Security researchers have demonstrated that attackers can exploit this bug by sending specially crafted IKEv2 packets during the IKE_SA_AUTH phase, triggering a buffer overflow in the ike2_ProcessPayload_CERT function. Once exploited, attackers can gain control of the instruction pointer, establish Python interactive shells over TCP, and escalate to a full Linux shell by remounting filesystems and deploying BusyBox binaries. The vulnerability has been assigned a CVSS score of 9.3, underscoring its critical nature. According to scans by The Shadowserver Foundation, nearly 76,000 Firebox appliances remain exposed and vulnerable on the public internet, with the highest concentrations in the United States, Germany, Italy, the United Kingdom, Canada, and France. Affected Fireware OS versions include 11.10.2 through 11.12.4_Update1, the entire 12.0 series up to 12.11.3, and the 2025.1 release, impacting both older and newer Firebox models. WatchGuard has released patches in versions 12.3.1_Update3, 12.5.13, 12.11.4, and 2025.1.1 to address the vulnerability. Devices running version 11.x are no longer supported and will not receive security updates, prompting the vendor to recommend upgrading to a supported version. For appliances configured only with Branch Office VPNs to static gateway peers, WatchGuard has provided documentation for securing connections as a temporary workaround. The vulnerability transforms trusted security appliances into potential entry points for attackers, threatening the integrity of network defenses. Organizations are urged to assess their Firebox deployments, prioritize patching, and review VPN configurations to mitigate the risk. The widespread exposure of vulnerable devices highlights the urgency of remediation efforts. WatchGuard's disclosure and the subsequent public scanning have brought significant attention to the issue, emphasizing the importance of timely patch management in network security infrastructure. Failure to address this vulnerability could result in unauthorized access, lateral movement, and compromise of sensitive internal networks. The incident serves as a stark reminder of the risks posed by critical flaws in security appliances and the need for continuous monitoring and rapid response.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
More than 75,000 vulnerable Firebox appliances remain exposed a month later
On October 21, 2025, reporting indicated that over 75,000 internet-exposed WatchGuard Firebox devices were still vulnerable more than a month after patches became available. The affected systems were especially concentrated in the U.S., Germany, Italy, the U.K., Canada, and France, underscoring slow patch adoption.
Shadowserver finds nearly 76,000 internet-exposed vulnerable Firebox devices
By October 20, 2025, Shadowserver Foundation scans showed that almost 76,000 WatchGuard Firebox appliances remained exposed on the public internet and vulnerable to CVE-2025-9242. Reports said the largest concentrations were in the United States and Europe and noted no active exploitation had been reported at that time.
WatchGuard discloses CVE-2025-9242 and releases patches
On September 17, 2025, WatchGuard disclosed the critical Firebox vulnerability CVE-2025-9242, an out-of-bounds write in the Fireware OS 'iked' process that can enable unauthenticated remote code execution via crafted IKEv2 packets. The company released patched Fireware versions, advised temporary workarounds for some VPN configurations, and said unsupported 11.x devices must be upgraded because they will not receive fixes.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Vulnerable WatchGuard Firebox appliances continue to exceed 75K
scworld.com
Open sourceWatchGuard VPN Flaw Gives Hackers Full Firewall Control
techrepublic.com
Open sourceOver 75,000 WatchGuard security devices vulnerable to critical RCE
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Remote Code Execution Vulnerability in WatchGuard Fireware OS VPN (CVE-2025-9242)
A critical security vulnerability, tracked as CVE-2025-9242, was discovered in WatchGuard Fireware OS, which powers WatchGuard’s Firebox network security appliances. This flaw is an out-of-bounds write vulnerability in the iked process, specifically within the function 'ike2_ProcessPayload_CERT' in the file 'src/ike/iked/v2/ike2_payload_cert.c'. The vulnerability arises due to a missing length check on the identification buffer, allowing a remote, unauthenticated attacker to trigger a stack-based buffer overflow. Exploitation of this flaw enables arbitrary code execution during the IKE_SA_AUTH phase of the IKEv2 handshake, which is used to establish VPN tunnels. The vulnerability affects both mobile user VPNs and branch office VPNs configured with dynamic gateway peers, making it a significant risk for organizations relying on these features. Fireware OS versions 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3, and 2025.1 are impacted, with fixes released in 2025.1.1, 12.11.4, 12.3.1_Update3 (FIPS-certified), and 12.5.13 for specific models. The 11.x branch has reached end-of-life and is no longer supported. Security researchers, including McCaulay Hudson of watchTowr Labs, highlighted that the vulnerability is particularly attractive to ransomware groups due to its remote, unauthenticated nature and the fact that it targets internet-exposed perimeter appliances. WatchGuard’s Fireware OS is widely deployed, protecting over 250,000 small and midsize enterprises and more than 10 million endpoints globally, amplifying the potential impact of this vulnerability. The flaw was disclosed and patched following responsible disclosure, with WatchGuard issuing an advisory and urging customers to update affected devices immediately. The vulnerability underscores the ongoing risk posed by classic buffer overflow issues, even in modern enterprise-grade security appliances. Researchers were able to reproduce the exploit, demonstrating the ease with which attackers could compromise vulnerable systems. The lack of mainstream exploit mitigations in the affected code path further increases the risk of successful exploitation. Organizations using WatchGuard Fireware OS are advised to review their VPN configurations, apply the latest patches, and consider additional monitoring for signs of exploitation. The incident highlights the importance of timely patch management and the persistent threat posed by memory safety vulnerabilities in critical infrastructure.
Jun 29, 2026
WatchGuard Firebox Zero-Day Exploited for Remote Code Execution
A critical zero-day vulnerability, identified as CVE-2025-14733, has been discovered in WatchGuard Firebox firewalls, allowing remote unauthenticated attackers to execute arbitrary code. The flaw, rated with a CVSS score of 9.3, resides in the `iked` process responsible for handling IKEv2 VPN connections, specifically affecting both Mobile User VPN and Branch Office VPN configurations. Attackers can exploit this out-of-bounds write vulnerability by sending specially crafted requests, potentially leading to full device compromise and firewall hijacking. WatchGuard has confirmed active exploitation of this vulnerability in the wild, with threat actors targeting exposed devices. Indicators of compromise include suspicious IP addresses, unusually large certificate payloads in IKE_AUTH requests, long certificate chains, and unexpected crashes of the `iked` process. Administrators are urged to apply the latest security updates immediately and review their logs for signs of compromise. The vulnerability affects Fireware OS versions 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.5, and 2025.1 through 2025.1.3.
Jun 29, 2026
Active Exploitation of Critical WatchGuard Firebox Vulnerabilities
WatchGuard has confirmed that its Firebox firewall devices are being actively targeted due to a critical remote code execution vulnerability, CVE-2025-32978, which allows unauthenticated attackers to execute arbitrary commands remotely. The flaw resides in the Fireware OS Internet Key Exchange (IKE) service and can be exploited if the device is accessible over the internet, potentially giving attackers full control of the firewall. WatchGuard has released emergency patches and indicators of compromise, urging customers to update their firmware immediately or apply temporary workarounds if patching is not possible. The vulnerability affects configurations involving mobile user VPN with IKEv2 and branch office VPNs using IKEv2, even if some configurations have been deleted but others remain. In response to evidence of active exploitation, CISA has added a WatchGuard Firebox vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, highlighting the significant risk such flaws pose to federal and enterprise networks. CISA's directive requires federal agencies to remediate these vulnerabilities by a set deadline and strongly encourages all organizations to prioritize patching to reduce exposure to cyberattacks. The inclusion in the KEV Catalog underscores the urgency for organizations to address these vulnerabilities as part of their ongoing vulnerability management practices.
Jun 29, 2026