CVE-2025-9242

Name of the Vulnerable Software and Affected Versions WatchGuard Fireware OS versions 11.10.2 through 11.12.4 Update1 WatchGuard Fireware OS versions 12.0 through 12.11.3 WatchGuard Fireware OS version 2025.1

Description An out-of-bounds write vulnerability exists in the WatchGuard Fireware OS

iked

process, potentially allowing a remote, unauthenticated attacker to execute arbitrary code. This vulnerability affects both Mobile User VPN with IKEv2 and Branch Office VPN using IKEv2 when configured with a dynamic gateway peer. Reports indicate active exploitation of this issue, with over 75,000 devices potentially exposed worldwide, with a significant concentration in the United States, Italy, the United Kingdom, Germany, and Canada. The vulnerability allows attackers to execute code without authentication, posing a severe risk to network security. The

iked

process handles IKEv2 VPN connections. Exploitation involves sending specially crafted IKEv2 packets to vulnerable Firebox appliances, leading to an out-of-bounds write and enabling arbitrary code execution.

Recommendations WatchGuard Fireware OS versions 11.10.2 through 11.12.4 Update1: Upgrade to version 2025.1.1, 12.11.4, 12.5.13, or 12.3.1 Update3 (B722811). WatchGuard Fireware OS versions 12.0 through 12.11.3: Upgrade to version 2025.1.1, 12.11.4, 12.5.13, or 12.3.1 Update3 (B722811). WatchGuard Fireware OS version 2025.1: Upgrade to version 2025.1.1, 12.11.4, 12.5.13, or 12.3.1 Update3 (B722811). Rotate all locally stored secrets on affected appliances. Limit IKEv2 to trusted configurations.