A critical WatchGuard Fireware vulnerability, tracked as CVE-2025-9242, could allow unauthenticated code execution.
Researchers revealed details of a critical vulnerability, tracked as CVE-2025-9242 (CVSS score of 9.3), in WatchGuard Fireware. An unauthenticated attacker can exploit the flaw to execute arbitrary code. The vulnerability is an out-of-bounds write issue that affects Fireware OS versions 11.10.2–11.12.4_Update1, 12.0–12.11.3, and 2025.1.
“An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.” reads the advisory. “This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.”
The vendor states that a WatchGuard Fireware OS iked process flaw allows remote unauthenticated attackers to execute arbitrary code via an out-of-bounds write vulnerability. The vulnerability impacts Firebox devices using IKEv2 for mobile user or branch office VPNs with dynamic gateways. The company pointed out that even if those VPNs were deleted, devices remain at risk if a branch office VPN to a static gateway is still configured.
“An Out-of-bounds Write vulnerability in the WatchGuard Fireware OS iked process may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.” reads the advisory. “If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured.”
The vulnerability impacts the following versions:
| Vulnerable Version | Resolved Version |
|---|---|
| 2025.1 | 2025.1.1 |
| 12.x | 12.11.4 |
| 12.5.x (T15 & T35 models) | 12.5.13 |
| 12.3.1 (FIPS-certified release) | 12.3.1_Update3 (B722811) |
| 11.x | End of Life |
The flaw lets unauthenticated attackers execute arbitrary code on a perimeter appliance by targeting the IKEv2 VPN service, an Internet-exposed entry point, making the bug reachable before authentication, as per watchTowr researchers.
This vulnerability ticks all the boxes ransomware actors crave: remote code execution on a perimeter device, exposure via a public-facing VPN service, and pre-auth exploitability, making it a high-priority target for exploitation and urgent to patch.
“WatchGuard enables more than 250,000 small and midsize enterprises from around the globe to protect their most important assets, including over 10 million endpoints.” warns watchTowr that published a technical analysis of the issue.
WatchGuard researcher McCaulay Hudson links the bug to ike2_ProcessPayload_CERT in ike2_payload_cert.c, where a client identification is copied into a 520-byte stack buffer without length checks during IKE_SA_AUTH, enabling overflow before certificate validation.
WatchTowr shows an exploit gaining RIP control and using mprotect() to spawn a Python TCP shell despite NX, then escalates to a full Linux shell by remounting read/write, downloading BusyBox and symlinking /bin/sh.
Researchers urge customers to address the issue as soon as possible.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, WatchGuard Fireware)
Laisser un commentaire