Full Report
WatchGuard has released security updates to address a remote code execution vulnerability impacting the company's Firebox firewalls. [...]
Analysis Summary
# Vulnerability: Critical Remote Code Execution in WatchGuard Firebox Firewalls via IKEv2 Process
## CVE Details
- CVE ID: CVE-2025-9242
- CVSS Score: Not explicitly stated, but described as "critical". Assuming a high score (e.g., 9.0+) based on description.
- CWE: Out-of-bounds Write (CWE-787)
## Affected Systems
- Products: WatchGuard Firebox Firewalls running Fireware OS
- Versions:
- Fireware OS 11.x (End of Life)
- Fireware OS 12.x
- Fireware OS 2025.1
Specific vulnerable hardware listed for certain lines: T15, T35 (under 12.5.x); T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, FireboxV (under 12.x); T115-W, T125, T125-W, T145, T145-W, T185 (under 2025.1.x).
- Configurations: Vulnerable if configured to use IKEv2 for Mobile User VPN or Branch Office VPN (BOVPN) with dynamic gateway peers. **Crucially, devices may remain vulnerable even if these configurations are deleted, provided a BOVPN tunnel to a static gateway peer is still configured.**
## Vulnerability Description
The vulnerability tracking as CVE-2025-9242 is an **Out-of-bounds Write** weakness found within the `iked` process of the WatchGuard Fireware OS. Successful exploitation can allow a remote, unauthenticated attacker to **execute arbitrary code** on the affected device. This flaw is related to IKEv2 VPN functionality.
## Exploitation
- Status: Not explicitly stated as exploited in the wild currently mentioned in the article, but immediate patching is advised.
- Complexity: Implied to be reasonably accessible, given the remote, unauthenticated nature and critical impact (RCE).
- Attack Vector: Network (Remote)
## Impact
- Confidentiality: High (Under RCE)
- Integrity: High (Under RCE)
- Availability: High (Under RCE)
## Remediation
### Patches
The following versions contain fixes for CVE-2025-9242:
- Fireware OS 12.3.1_Update3 (B722811)
- Fireware OS 12.5.13
- Fireware OS 12.11.4
- Fireware OS 2025.1.1
### Workarounds
For administrators unable to patch immediately devices running vulnerable software configured with Branch Office VPN (BOVPN) tunnels to static gateway peers:
1. Disable dynamic peer BOVPNs.
2. Add new firewall policies.
3. Disable the default system policies that handle VPN traffic related to IKEv2/IPSec BOVPNs (Consult WatchGuard support documentation for detailed steps).
## Detection
- Indicators of Compromise: Not explicitly detailed, generally look for anomalous activity related to the `iked` process or unexpected outbound connections originating from the firewall management plane.
- Detection methods and tools: Monitoring network traffic for malformed IKEv2 packets targeting the VPN endpoint might reveal attempts, but specific IOCs are not provided here.
## References
- Vendor Advisories: watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015 (Defanged: watchguard dot com/wgrd-psirt/advisory/wgsa-2025-00015)
- Support Document for Workaround: techsearch.watchguard.com/KB?type=Article&SFDCID=kA1Vr000000DMXNKA4&lang=en_US (Defanged: techsearch.watchguard dot com/KB?type=Article&SFDCID=kA1Vr000000DMXNKA4&lang=en_US)