A critical vulnerability in WatchGuard Firebox firewalls is being actively exploited to gain remote, unauthenticated code execution on perimeter devices.
The flaw, tracked as CVE-2025-9242, is an out-of-bounds write in the Fireware OS iked process that handles IKEv2 VPN handshakes. Exploitation allows attackers to execute arbitrary code on affected Firebox appliances without valid credentials.
CISA has added CVE-2025-9242 to its Known Exploited Vulnerabilities (KEV) catalog and ordered U.S. federal agencies to patch by December 3, 2025. But according to reports, over 50,000 Firebox devices on the public internet remain vulnerable.
Overview
CVE-2025-9242 is a critical (CVSS 9.3) out-of-bounds write vulnerability in WatchGuard Fireware OS affecting Firebox appliances running:
- Fireware OS 11.10.2 up to and including 11.12.4_Update1
- Fireware OS 12.0 up to and including 12.11.3
- Fireware OS 2025.1
The bug resides in the iked process that handles IPSec/IKEv2 VPN traffic. When the Firebox is configured for:
- Mobile User VPN with IKEv2, and/or
- Branch Office VPN (BOVPN) using IKEv2 with a dynamic gateway peer,
A crafted IKEv2 message can trigger an out-of-bounds write and lead to remote code execution before any authentication occurs. Even devices where dynamic IKEv2 VPNs were removed may remain vulnerable if a BOVPN to a static gateway is still configured.
WatchGuard updated its advisory on October 21, 2025, confirming evidence of active exploitation and publishing indicators of attack (IoAs).
Impact
A compromised Firebox is not “just another host”. It is the choke point for network traffic and often a trusted VPN endpoint. Successful exploitation can allow attackers to gain persistent control of a perimeter security device, enabling them to intercept, inspect, or tamper with VPN traffic.
VPN and administrative credentials stored on or flowing through the device are also at risk, potentially leading to lateral movement.
Indicators of Compromise (IOCs)
From WatchGuard’s advisory and related reporting, notable IoAs include:
On the Firebox / Fireware OS:
- IKE_AUTH logs with abnormally large IDi payloads
- With iked diagnostic logging at Info level, watch for IKE_AUTH request logs where IDi size is unusually large (e.g., >100 bytes).
- With iked diagnostic logging at Info level, watch for IKE_AUTH request logs where IDi size is unusually large (e.g., >100 bytes).
- IKE process instability
- iked process hangs, causing VPN sessions to drop or fail to establish.
- Repeated iked crashes and fault reports without configuration changes or obvious network issues.
- iked process hangs, causing VPN sessions to drop or fail to establish.
On the network side:
- Unexpected spikes in IKEv2 traffic from untrusted internet sources toward Firebox UDP/500 or UDP/4500.
- Repeated failed VPN negotiations from the same unfamiliar IPs before instability events.
Because this is a pre-auth network-level exploit, you may not see conventional endpoint IOCs. Hunting must include firewall logs, VPN logs, and network telemetry.
Remediation Guidance
To remediate the issue, please upgrade Fireware OS to a fixed version on all Firebox appliances:
- 2025.1 → 2025.1.1
- 12.x → 12.11.4
- 12.5.x (T15 & T35) → 12.5.13
- 12.3.1 (FIPS) → 12.3.1_Update3 (B722811)
- 11.x → End of life (must be replaced; no patch available)
If you can’t patch immediately, temporary workarounds include disabling Mobile User VPN with IKEv2 and BOVPNs using IKEv2 with dynamic gateway peers, or restricting IKEv2 exposure to only trusted peers (IP allowlists, geo-filters, or upstream ACLs).
Additionally, given confirmed in-the-wild exploitation, WatchGuard recommends rotating all locally stored secrets on previously vulnerable devices (VPN pre-shared keys, local admin credentials, service accounts, etc.).
Stay Safe. Stay Secure.
OP Innovate Research Team
