U.S. CISA adds WatchGuard Firebox, Microsoft Windows, and Gladinet Triofox flaws to its Known Exploited Vulnerabilities catalog
November 13, 2025
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds WatchGuard Firebox, Microsoft Windows, and Gladinet Triofox flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added WatchGuard Firebox, Microsoft Windows, and Gladinet Triofox flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the flaws added to the catalog:
In mid-October, researchers revealed details of the critical vulnerability CVE-2025-9242 (CVSS score of 9.3) in WatchGuard Fireware. An unauthenticated attacker can exploit the flaw to execute arbitrary code. The vulnerability is an out-of-bounds write issue that affects Fireware OS versions 11.10.2–11.12.4_Update1, 12.0–12.11.3, and 2025.1.
“An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.” reads the advisory. “This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.”
The vendor states that a WatchGuard Fireware OS iked process flaw allows remote unauthenticated attackers to execute arbitrary code via an out-of-bounds write vulnerability. The vulnerability impacts Firebox devices using IKEv2 for mobile user or branch office VPNs with dynamic gateways. The company pointed out that even if those VPNs were deleted, devices remain at risk if a branch office VPN to a static gateway is still configured.
The flaw lets unauthenticated attackers execute arbitrary code on a perimeter appliance by targeting the IKEv2 VPN service, an Internet-exposed entry point, making the bug reachable before authentication, as per watchTowr researchers.
This vulnerability ticks all the boxes ransomware actors crave: remote code execution on a perimeter device, exposure via a public-facing VPN service, and pre-auth exploitability, making it a high-priority target for exploitation and urgent to patch.
The second flaw added to the catalog is a Gladinet Triofox Improper Access Control Vulnerability tracked as CVE-2025-12480.
Google’s Mandiant researchers spotted threat actors exploiting the now-patched Triofox flaw that allows them to bypass authentication to upload and run remote access tools via the platform’s antivirus feature.
Mandiant has been tracking the ongoing exploitation of the Triofox flaw CVE-2025-12480 to threat cluster UNC6485.
Mandiant leveraged Google Security Operations to detect suspicious activity on a customer’s Triofox server involving PLINK-based RDP tunneling and file downloads to temp directories.
It’s the third Triofox bug abused this year, following CVE-2025-30406 and CVE-2025-11371. The update blocks access to configuration pages after setup, but attackers exploited unauthenticated access to create a new admin account, “Cluster Admin,” through the setup process, using it for further malicious activity across compromised systems.
CISA also added the Microsoft Windows race condition vulnerability CVE-2025-62215 to the catalog.
Microsoft warned that the flaw CVE-2025-62215 (CVSS score of 7) has been under active attack.
“Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Kernel allows an authorized attacker to elevate privileges locally.” reads the advisory. “Successful exploitation of this vulnerability requires an attacker to win a race condition. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by December 3, 2025.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, CISA)