Full Report
Cybersecurity researchers have disclosed details of a recently patched critical security flaw in WatchGuard Fireware that could allow unauthenticated attackers to execute arbitrary code. The vulnerability, tracked as CVE-2025-9242 (CVSS score: 9.3), is described as an out-of-bounds write vulnerability affecting Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including
Analysis Summary
# Vulnerability: WatchGuard Fireware OS IKEv2 Out-of-Bounds Write Enabling RCE
## CVE Details
- CVE ID: CVE-2025-9242
- CVSS Score: 9.3 (Critical)
- CWE: CWE-787 (Out-of-bounds Write)
## Affected Systems
- Products: WatchGuard Fireware OS
- Versions: Fireware OS 11.10.2 up to and including 11.12.4\_Update1, 12.0 up to and including 12.11.3, 2025.1. (Note: 11.x branch is End-of-Life)
- Configurations: Affects Mobile User VPN and Branch Office VPN when configured using IKEv2 with a dynamic gateway peer.
## Vulnerability Description
The vulnerability is an out-of-bounds write flaw residing in the `iked` process (the IKEv2 handling component of Fireware OS). Specifically, the function `ike2_ProcessPayload_CERT` in `src/ike/iked/v2/ike2_payload_cert.c` fails to perform a necessary length check on the client identification buffer before copying data into a 520-byte stack buffer. This allows a remote, unauthenticated attacker to write data past the buffer boundaries during the $\text{IKE\_SA\_AUTH}$ phase of the VPN handshake, leading to arbitrary code execution.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but described as having all the characteristics ransomware gangs look for.
- Complexity: Low (Remote, Unauthenticated).
- Attack Vector: Network
## Impact
- Confidentiality: High (Arbitrary Code Execution)
- Integrity: High (Arbitrary Code Execution)
- Availability: High (Impacts perimeter device)
WatchTowr Labs demonstrated that while the device lacks an interactive shell by default, exploitation can lead to gaining control of the instruction pointer (RIP), spawning a Python interactive shell via an $\text{mprotect()}$ system call (bypassing NX mitigation). Further steps allow obtaining a full Linux shell by remounting the filesystem R/W and deploying $\text{BusyBox}$.
## Remediation
### Patches
- Fireware OS 2025.1: Fixed in **2025.1.1**
- Fireware OS 12.x: Fixed in **12.11.4**
- Fireware OS 12.3.1 (FIPS-certified): Fixed in **12.3.1\_Update3** (B722811)
- Fireware OS 12.5.x (T15 & T35 models): Fixed in **12.5.13**
- Fireware OS 11.x: End-of-Life, users should upgrade to supported versions.
### Workarounds
No specific workarounds were detailed in the provided summary, implying immediate patching is the primary mitigation. (General recommendation would be to restrict external access to the Firebox management/VPN interface if patching is delayed, though this is an unauthenticated flaw in the VPN process itself.)
## Detection
- **Indicators of Compromise (IoCs):** Not explicitly listed, but monitoring VPN connection attempts ($\text{IKEv2}$) logs for unusual activity during the $\text{IKE\_SA\_AUTH}$ phase or anomalous outbound TCP connections originating from the Firebox device after a VPN handshake attempt.
- **Detection Methods and Tools:** Network monitoring tools able to inspect raw IKEv2 traffic for abnormally sized identification payloads, though signature-based detection on the patched vulnerability is typically achieved via vendor-provided security updates.
## References
- Vendor Advisory: WatchGuard (Refer to advisory released "last month" relative to Oct 2025)
- WatchTowr Labs Analysis: hxxps://labs.watchtowr[.]com/yikes-watchguard-fireware-os-ikev2-out-of-bounds-write-cve-2025-9242/
- CVE Information: hxxps://nvd[.]nist[.]gov/vuln/detail/CVE-2025-9242