Full Report
Nearly 76,000 WatchGuard Firebox network security appliances are exposed on the public web and still vulnerable to a critical issue (CVE-2025-9242) that could allow a remote attacker to execute code without authentication. [...]
Analysis Summary
# Vulnerability: Critical Remote Code Execution in WatchGuard Firebox Firewalls
## CVE Details
- CVE ID: CVE-2025-9242
- CVSS Score: 9.3 (Critical)
- CWE: Out-of-bounds Write (Inferred from description)
## Affected Systems
- Products: WatchGuard Firebox network security appliances running Fireware OS
- Versions:
- 11.10.2 through 11.12.4\_Update1
- 12.0 through 12.11.3
- 2025.1
- Configurations: Affects devices using IKEv2 VPNs with dynamic gateway peers.
## Vulnerability Description
The vulnerability is an **out-of-bounds write** flaw residing in the `iked` process within the Fireware OS. This process is responsible for handling IKEv2 VPN negotiations. An unauthenticated remote attacker can exploit this by sending specially crafted IKEv2 packets to vulnerable endpoints, forcing the system to write data to unintended memory locations, leading to Remote Code Execution (RCE).
## Exploitation
- Status: No active exploitation reported, but high risk due to criticality and exposure.
- Complexity: Low (Implied by unauthenticated network attack vector).
- Attack Vector: Network
## Impact
- Confidentiality: High (Likely full system compromise possible via RCE)
- Integrity: High (Likely full system compromise possible via RCE)
- Availability: High (Potential for denial of service or system compromise)
## Remediation
### Patches
WatchGuard advises upgrading to a supported version:
- 2025.1.1
- 12.11.4
- 12.5.13
- 12.3.1\_Update3 (B722811)
*Note: Version 11.x has reached end-of-support and should be migrated off of immediately.*
### Workarounds
For devices configured only with Branch Office VPNs to **static** gateway peers, users can follow WatchGuard documentation for securing the connection using IPSec and IKEv2 protocols as a temporary measure.
## Detection
- **Indicators of Compromise (IOCs):** Not explicitly detailed, but look for unusual activity related to IKEv2 negotiation attempts or subsequent execution events tied to the `iked` process.
- **Detection Methods and Tools:** Monitoring network traffic for non-standard or malicious IKEv2 handshake packets directed at the Firebox appliance's public IP address. Administrators lacking patches are advised to assume compromise risk.
## References
- Vendor Advisory: WatchGuard security bulletin (mentioned date Sep 17)
- News Source: bleepingcomputer dot com/news/security/over-75-000-watchguard-security-devices-vulnerable-to-critical-rce/