CVE-2025-9242

Name of the Vulnerable Software and Affected Versions WatchGuard Fireware OS versions 11.10.2 through 11.12.4 Update1 WatchGuard Fireware OS versions 12.0 through 12.11.3 WatchGuard Fireware OS version 2025.1

Description An out-of-bounds write vulnerability exists in WatchGuard Fireware OS, specifically within the iked process responsible for IKEv2 VPN connections. This flaw allows a remote, unauthenticated attacker to execute arbitrary code on affected Firebox devices. The vulnerability impacts both Mobile User VPN with IKEv2 and Branch Office VPN using IKEv2 when configured with a dynamic gateway peer. Reports indicate active exploitation of this vulnerability, with over 75,000 devices potentially exposed globally, with a significant concentration in the United States, Italy, the United Kingdom, and Germany. The vulnerability is tracked as CVE-2025-9242 and has a CVSS score of 9.3, indicating a critical severity. The vulnerability allows attackers to execute code without authentication, potentially granting them full control over VPN gateways and enabling lateral movement within internal networks.

Recommendations WatchGuard Fireware OS versions 11.10.2 through 11.12.4 Update1: Upgrade to version 2025.1.1, 12.11.4, 12.5.13, or 12.3.1 Update3 (B722811). WatchGuard Fireware OS versions 12.0 through 12.11.3: Upgrade to version 2025.1.1, 12.11.4, 12.5.13, or 12.3.1 Update3 (B722811). WatchGuard Fireware OS version 2025.1: Upgrade to version 2025.1.1, 12.11.4, 12.5.13, or 12.3.1 Update3 (B722811). Rotate all locally stored secrets on affected appliances. Limit IKEv2 to trusted configurations.