A critical security vulnerability has been discovered in WatchGuard Firebox appliances that could allow remote attackers to execute arbitrary code without authentication.
The flaw, identified as CVE-2025-9242, affects the IKEv2 VPN service and has been assigned a severity score of 9.3 under CVSS 4.0, marking it as a critical threat to organizations using these security devices.
| CVE | Impact | CVSS Score |
| CVE-2025-9242 | Critical | 9.3 |
Understanding the Vulnerability
The vulnerability stems from an out-of-bounds write issue in the iked process of WatchGuard Fireware OS.
This flaw specifically impacts organizations using mobile user VPN with IKEv2 or branch office VPN configurations with dynamic gateway peers.
Security researchers discovered that the vulnerability is essentially a stack-based buffer overflow, a type of security weakness that was more commonly seen in the late 1990s but remains dangerous when found in modern enterprise systems.
The flaw exists in how the system handles identification data during the IKEv2 authentication process. When a client connects to the VPN service, the system copies identification information into a fixed-size buffer on the stack.
However, the vulnerable versions fail to properly validate the length of this data before copying it, allowing attackers to overflow the buffer and overwrite critical memory regions including saved register values and the return address.
What makes this vulnerability particularly concerning is that it can be exploited remotely without any authentication.
Attackers can reach the vulnerable code path by sending specially crafted IKEv2 packets to the VPN service, which typically runs on UDP port 500 and is often exposed to the internet.
Security researchers from watchTowr Labs successfully demonstrated exploitation by sending oversized identification data that corrupts the stack and hijacks program execution flow.
The exploitation process involves two stages. First, attackers send an IKE_SA_INIT packet to negotiate cryptographic parameters, followed by an IKE_SA_AUTH packet containing the malicious payload.
By carefully crafting the identification buffer to exceed 520 bytes, attackers can control critical CPU registers and redirect program execution to their own code.
Researchers developed a complete exploit chain using return-oriented programming techniques to bypass security protections and achieve remote code execution with root privileges.
This vulnerability affects a wide range of WatchGuard Firebox models running Fireware OS versions 11.10.2 through 11.12.4_Update1, versions 12.0 through 12.11.3, and version 2025.1.
WatchGuard, which claims to protect over 250,000 organizations globally with more than 10 million secured endpoints, has released patches to address the issue.
Organizations should immediately upgrade to Fireware OS version 2025.1.1, version 12.11.4 for 12.x series, version 12.5.13 for T15 and T35 models, or version 12.3.1_Update3 for FIPS-certified releases.
For organizations unable to immediately upgrade, WatchGuard recommends implementing workarounds for branch office VPN tunnels configured with static gateway peers.
However, the most effective protection is to apply the security patches as soon as possible.
The vulnerability was credited to security researcher btaol, and detailed technical analysis along with detection tools have been published by watchTowr Labs to help organizations identify and protect vulnerable systems.
Given the critical nature of this flaw and its potential for unauthenticated remote exploitation, WatchGuard users should treat this update as an urgent priority.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
