CISA Alerts On Exploited WatchGuard Firebox Out-of-Bounds Write Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in WatchGuard Firebox firewalls to its Known Exploited Vulnerabilities (KEV) catalog, highlighting active exploitation in the wild.

Tracked as CVE-2025-9242, this out-of-bounds write flaw in the Fireware OS ike process enables remote, unauthenticated attackers to execute arbitrary code, posing a severe risk to network perimeters.

Added on November 12, 2025, with a federal remediation deadline of December 3, 2025, the alert underscores the urgency for organizations to patch affected devices amid confirmed threat actor activity.​

Vulnerability Details

CVE-2025-9242 stems from inadequate bounds checking during the Internet Key Exchange version 2 (IKEv2) handshake in the iked process, which manages VPN connections.

Security researchers at watchTowr Labs first disclosed the issue, noting a stack-based buffer overflow in the ike2_ProcessPayload_CERT function, where a fixed 520-byte buffer copies client-supplied identification payloads without proper length validation.

This pre-authentication vulnerability allows attackers to send crafted IKEv2 packets over UDP ports 500 or 4500, overwriting memory and hijacking execution flow before any certificate checks occur.

The flaw affects Fireware OS versions 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.3, 2025.1, and specific models, such as the Firebox T15/T35 on 12.5.x.

It primarily impacts configurations using mobile or branch-office VPNs with IKEv2 and dynamic gateway peers.

However, deleted setups may leave residual risks if static peers remain active. With a CVSS v3.1 base score of 9.3 (Critical), exploitation could grant complete device control, enabling traffic interception, lateral movement, or ransomware deployment.

As of November 12, 2025, over 54,300 Firebox instances worldwide remain exposed, down from nearly 76,000 in October, per Shadowserver scans.

While no ransomware ties have been confirmed, experts warn that the bug’s characteristics internet-facing, no-auth RCE on perimeter gear make it a prime target for advanced persistent threats and cybercriminals.

Mitigation and Recommendations

WatchGuard released patches on September 17, 2025, urging immediate upgrades to resolved versions: Fireware OS 2025.1.1, 12.11.4, 12.5.13 for T15/T35, or 12.3.1_Update3 for FIPS builds devices on the 11.

The X series is at the end of its life and must be replaced, as no fixes are available.

For unpatched systems, WatchGuard advises securing branch office VPNs per IPSec/IKEv2 best practices, such as restricting dynamic peers and monitoring IKE traffic for anomalies.

CISA recommends integrating the KEV catalog into vulnerability management frameworks, prioritizing patches for federal agencies under BOD 22-01.

Organizations should scan for vulnerable Fireboxes using tools like Shodan or Shadowserver, turn off unnecessary IKEv2 if possible, and implement network segmentation to limit blast radius.

Indicators of compromise include suspicious UDP traffic on ports 500/4500, unexpected processes like Python shells or BusyBox binaries, and outbound connections from firewalls.

Threat hunters can leverage EDR on management interfaces and review logs for IKE handshake failures.

In summary, CVE-2025-9242 exemplifies the persistent risks posed by network appliances, where outdated code meets the sophistication of modern attacks.

Prompt action can thwart exploitation and safeguard critical infrastructure from perimeter breaches.

As the KEV catalog grows to 1,459 entries, proactive patching remains the cornerstone of resilient cybersecurity.