WatchGuard has disclosed a critical out-of-bounds write vulnerability in its Fireware OS, enabling remote unauthenticated attackers to execute arbitrary code via IKEv2 VPN connections.
Designated CVE-2025-9242 under advisory WGSA-2025-00015, the flaw carries a CVSS 4.0 score of 9.3, highlighting its potential for high-impact exploitation on Firebox appliances.
Published on September 17, 2025, and updated two days later, this issue affects versions from 11.10.2 to 11.12.4_Update1, 12.0 to 12.11.3, and 2025.1, exposing thousands of small and midsize enterprises to risks like full system compromise.
WatchGuard, which secures over 250,000 organizations and 10 million endpoints, urges immediate patching to mitigate threats from ransomware or other malicious actors targeting perimeter defenses.
The vulnerability resides in the IKE process of Fireware OS, which handles IKEv2 negotiations for mobile users and branch office VPNs configured with dynamic gateway peers.
WatchGuard VPN Vulnerability
An attacker can send crafted IKE_SA_INIT and IKE_SA_AUTH packets to trigger an out-of-bounds write in the ike2_ProcessPayload_CERT function, where attacker-controlled identification data overflows a 520-byte stack buffer without sufficient bounds checking.
Even deleted VPN configurations may leave residual vulnerabilities if static peers remain active, allowing pre-authentication access over UDP port 500.
Security researchers at WatchTowr Labs, crediting btaol for discovery, reverse-engineered the code through patch diffing between vulnerable 12.11.3 and patched 12.11.4 versions, revealing a simple length check addition as the fix.
This stack-based buffer overflow, a primitive dating back to 1996, persists in 2025 enterprise gear lacking modern mitigations like PIE or stack canaries, though NX is enabled.
Exploiting CVE-2025-9242 involves fingerprinting the firmware version via a custom Vendor ID payload in IKE_SA_INIT responses, which embeds base64-encoded details like “VN=12.11.3 BN=719894” for easy identification.
Attackers then negotiate transforms such as AES-256 and Diffie-Hellman Group 14 before sending an oversized identification payload in IKE_SA_AUTH to corrupt registers and hijack control flow, leading to a segmentation fault or ROP chain.
WatchTowr demonstrated remote code execution by chaining gadgets to invoke mprotect for stack execution, deploying reverse TCP shellcode that spawns a root Python interpreter, potentially enabling filesystem remounts or BusyBox downloads for full shell access.
Firebox devices, often the internet-facing boundary, amplify risks; a breach could pivot to internal networks, data exfiltration, or persistent backdoors in environments without robust segmentation.
Mitigations
WatchGuard has resolved the issue in updated releases: 2025.1.1 for the 2025 branch, 12.11.4 for 12.x, 12.5.13 for T15/T35 models, and 12.3.1_Update3 for FIPS-certified 12.3.1, with 11.x now end-of-life.
Affected products span Firebox families, including T20 to M690 series, Cloud, and NV5/V models.
As a temporary workaround, organizations should secure IPSec/IKEv2 branch office VPNs per WatchGuard’s KB article on access controls, disabling unnecessary IKEv2 if possible.
No in-the-wild exploits are confirmed yet, but the unauthenticated nature and detailed public analysis heighten urgency; users must monitor logs for anomalous IKE traffic and apply patches promptly to safeguard VPN concentrators serving as critical gateways.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
