The Shadowserver Foundation has uncovered more than 71,000 internet-exposed WatchGuard devices running vulnerable versions of Fireware OS.
The flaw, tracked as CVE-2025-9242, stems from an out-of-bounds write vulnerability in the IKEv2 implementation, potentially allowing remote attackers to execute arbitrary code without authentication.
Disclosed earlier this year, the issue highlights the dangers of unpatched firewalls in enterprise environments, where such devices often serve as the first line of defense against cyber threats.
Security researchers first flagged CVE-2025-9242 in WatchGuard’s Fireware OS versions prior to 12.10.3, affecting a wide range of the company’s popular firewall models, including the Firebox T-series and M-series appliances.
The vulnerability arises during the processing of IKEv2 packets, where improper bounds checking can lead to memory corruption. Attackers could exploit this remotely over the internet, potentially gaining full control of the device and pivoting to internal networks.
While WatchGuard released patches in March 2025, the sheer number of exposed instances suggests many organizations have yet to apply them, leaving critical infrastructure at risk.
WatchGuard Devices Exposed
The Shadowserver Foundation, a nonprofit dedicated to scanning for internet vulnerabilities, began sharing daily IP data on affected WatchGuard devices this week.
Their October 18, 2025, report identified over 71,000 vulnerable hosts worldwide, a figure that underscores the global scale of the problem. These scans focus on ISAKMP (Internet Security Association and Key Management Protocol) traffic, the backbone of VPN connections, where the IKEv2 flaw resides.
Shadowserver’s data, available through their Vulnerable ISAKMP reporting portal, includes anonymized IP addresses to help network defenders identify and remediate their own exposures.
Experts warn that exploiting CVE-2025-9242 could enable devastating attacks, such as ransomware deployment or data exfiltration, especially in sectors like healthcare and finance that rely heavily on WatchGuard hardware.
The CVSS v3.1 base score of 9.8 rates it as critical, emphasizing its ease of exploitation no user interaction required. Shadowserver noted a slight uptick in vulnerable devices since initial disclosures, possibly due to newly deployed or misconfigured systems.
WatchGuard urges immediate updates to Fireware OS 12.10.3 or later, alongside disabling IKEv2 if not essential. Cybersecurity firms like Rapid7 and Tenable have echoed these recommendations, advising organizations to audit their perimeters using tools like Shodan or Shadowserver’s feeds.
As threat actors increasingly target network edges amid rising geopolitical tensions, this incident serves as a wake-up call. With over 71,000 devices in the crosshairs, proactive defense remains the only shield against potential chaos.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
