Full Report
A vulnerability has been discovered in WatchGuard Fireware OS, which could allow for arbitrary code execution. Fireware OS is the software that runs on WatchGuard Firebox firewalls. Fireware includes a Web UI that includes a way to manage and monitor each Firebox in your network. Successful exploitation of this vulnerability may allow a remote unauthenticated attacker to execute arbitrary code. Depending on the privileges associated with the affected user, an attacker could then install programs; view, change, or delete data. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Analysis Summary
# Vulnerability: Arbitrary Code Execution in WatchGuard Fireware OS via IKEv2 Process
## CVE Details
- CVE ID: CVE-2025-9242
- CVSS Score: Not explicitly provided, but severity suggests High/Critical based on impact.
- CWE: Out-of-bounds Write
## Affected Systems
- Products: WatchGuard Fireware OS (running on Firebox firewalls)
- Versions:
- Fireware OS 11.10.2 up to and including 11.12.4\_Update1
- Fireware OS 12.0 up to and including 12.11.3
- Fireware OS 2025.1
- Configurations: Vulnerable if the Firebox has configured (or previously configured and now deleted) the mobile user VPN with IKEv2, or a branch office VPN using IKEv2 with a dynamic gateway peer. Static gateway peer configurations can also be vulnerable if the other IKEv2 configurations existed.
## Vulnerability Description
This vulnerability is an Out-of-bounds Write flaw discovered in the **iked process** of WatchGuard Fireware OS. Successful exploitation allows a remote, unauthenticated attacker to achieve **Arbitrary Code Execution (ACE)**. This vulnerability impacts both mobile user VPNs using IKEv2 and branch office VPNs using IKEv2 with a dynamic gateway peer configuration. The attacker can subsequently install programs and gain privileges ranging from viewing/changing/deleting data, depending on the user privileges associated with the exploited context.
## Exploitation
- Status: Not exploited in the wild (as of the advisory date).
- Complexity: Implied Low/Medium given the remote, unauthenticated nature.
- Attack Vector: Network (Initial Access via Public-Facing Application - T1190).
## Impact
- Confidentiality: High (Ability to view/change/delete data based on user context).
- Integrity: High (Ability to install programs, view, change, or delete data).
- Availability: High (Potential for system disruption, depending on actions taken).
## Remediation
### Patches
Specific patch versions are not listed in the provided text, but remediation requires applying **appropriate updates provided by WatchGuard immediately** after testing. Users should consult the vendor advisory (WGSA-2025-00015).
### Workarounds
No specific temporary workarounds are provided in the excerpt, though disabling or restricting access to the affected VPN services (IKEv2 mobile user VPN and IKEv2 branch office VPN with dynamic peers) would likely mitigate the immediate risk until patching.
## Detection
- Indicators of Compromise: Undetermined based on the provided text, but successful exploitation would likely show anomalous process execution within the `iked` service or unexpected system changes/file modifications.
- Detection methods and tools: Utilize capabilities designed to detect and block conditions indicative of a software exploit occurring (Mitigation M1050: Exploit Protection).
## References
- Arctic Wolf
- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9242
- WatchGuard: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015