Full Report
CISA has ordered federal agencies to patch an actively exploited vulnerability in WatchGuard Firebox firewalls, which allows attackers to gain remote code execution on compromised devices. [...]
Analysis Summary
# Vulnerability: Remote Code Execution in WatchGuard Firebox Firewalls
## CVE Details
- CVE ID: CVE-2025-9242
- CVSS Score: **(Not explicitly provided in text, but context implies Critical)** (High/Critical)
- CWE: Out-of-bounds write (CWE-787)
## Affected Systems
- Products: WatchGuard Firebox firewalls running Fireware OS
- Versions: Fireware OS 11.x (End of Life), 12.x, and 2025.1
- Configurations: Not specified beyond the OS versions.
## Vulnerability Description
The vulnerability is an **out-of-bounds write** weakness present in the affected versions of Fireware OS. Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary code remotely on the compromised device.
## Exploitation
- Status: **Exploited in the wild** (Added to CISA KEV catalog)
- Complexity: Assumed Low/Medium given RCE potential and active exploitation.
- Attack Vector: Network (Remote)
## Impact
- Confidentiality: Likely High (RCE can lead to data disclosure)
- Integrity: Likely High (RCE can lead to configuration changes or malware implanting)
- Availability: Likely High (RCE can lead to device compromise or denial of service)
## Remediation
### Patches
- Patches were released by WatchGuard on September 17th (Advisory WGSA-2025-00015).
*Note: Specific patched versions matching the affected Fireware OS major lines were not listed in the source text, but patching via vendor instructions is required.*
### Workarounds
- Organizations should **discontinue use of the product if mitigations are unavailable** (per CISA guidance).
- Apply mitigations as per vendor instructions.
## Detection
- CISA has added this vulnerability to its **Known Exploited Vulnerabilities (KEV) catalog**.
- Monitoring for network traffic patterns associated with exploitation attempts targeting WatchGuard Firebox appliances should be implemented.
- **Indicator of Compromise (IOCs):** Implied by inclusion in the KEV catalog, official advisories should contain specific IOCs related to known exploitation techniques.
## References
- WatchGuard Security Advisory: hxxps://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015
- CISA KEV Addition: hxxps://www.cisa.gov/news-events/alerts/2025/11/12/cisa-adds-three-known-exploited-vulnerabilities-catalog
- Shadowserver Statistics: hxxps://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=isakmp_vulnerable&source=isakmp_vulnerable6&tag=cve-2025-9242%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on