CVE-2025-9242

What is WatchGuard Firebox?

WatchGuard Firebox is a network security appliance (UTM/NGFW) deployed by small and mid-sized businesses, managed service providers, and distributed enterprises for VPN termination, firewall, intrusion prevention, and content filtering. Firebox appliances commonly face the internet directly to terminate VPN connections from remote workers and branch offices — placing them squarely in the attack surface for pre-authentication network vulnerabilities.

WatchGuard Firebox appliances have been targeted in prior high-profile attacks. In 2022, a Russian APT29-linked campaign exploited WatchGuard devices running Cyclops Blink malware, prompting an FBI-led operation to remove the botnet. The brand's prominence in SMB and MSP environments makes it a recurring target.

Overview

CVE-2025-9242 is a pre-authentication out-of-bounds write (CWE-787) in the WatchGuard Firebox iked daemon — the IKEv2 VPN key exchange process. A remote unauthenticated attacker can send a crafted IKEv2 IKE_AUTH packet to trigger memory corruption leading to arbitrary code execution on the firewall. WatchGuard confirmed active exploitation on October 21, 2025; CISA added the vulnerability to the KEV catalog on November 12, 2025, at which point Shadowserver Foundation counted over 54,300 unpatched internet-facing appliances.

Affected Versions

Technical Details

The vulnerability is a missing length check in the iked daemon's handling of the IKEv2 IDi (Initiator Identity) payload during the IKE_AUTH exchange. When the appliance receives an IKE_AUTH request, it processes the identity payload before certificate validation. An oversized IDi payload (exceeding 100 bytes) triggers an out-of-bounds write into adjacent memory, corrupting heap structures.

Critically, the certificate verification that could catch malicious payloads runs after the vulnerable code path — meaning the flaw is fully exploitable before any authentication check occurs.

Configuration scope: Any Firebox with one of the following enabled is vulnerable:

• Mobile User VPN (IKEv2)
• Branch Office VPN with dynamic gateway peers
• Static gateway BOVPN (also vulnerable even if dynamic gateway and mobile VPN are both disabled — a non-obvious configuration requirement)

Key characteristics:

• Pre-authentication, single-packet trigger over UDP 500 or 4500
• Exploitable from the internet on any Firebox exposing VPN
• EOL 11.x series receives no patch

Discovery

Reported by researcher "btaol" per the WatchGuard PSIRT advisory.

Exploitation Context

WatchGuard confirmed "evidence that suggests this vulnerability is under active exploitation" as of October 21, 2025, identifying four attacker IP addresses in their telemetry. The gap between the September 17 patch release and the November 12 KEV listing — nearly two months — allowed exploitation to proceed while a large fraction of the install base remained unpatched.

Shadowserver Foundation reported over 54,300 internet-facing Firebox appliances remained on vulnerable firmware versions as of the KEV listing date. No specific threat actor group has been publicly attributed to the exploitation campaign.

Remediation

1. Apply the patch for your Fireware branch immediately — upgrade to 2025.1.1, 12.11.4, 12.5.13 (T15/T35), or 12.3.1_Update3 (FIPS). EOL 11.x devices must be replaced.
2. Verify your VPN configuration scope — even static gateway BOVPNs leave the appliance vulnerable; do not assume disabling mobile VPN mitigates the risk.
3. Restrict IKEv2 access by source IP if your VPN topology allows it — limit UDP 500/4500 to known peer IPs to reduce exposure while patching.
4. Check for indicators of compromise — review iked logs for unexpected IKE_AUTH requests with anomalous IDi payload lengths from non-VPN-peer IP addresses.
5. Replace EOL 11.x appliances — no patch will be released for the 11.x series; these devices should be treated as permanently compromised if exposed to the internet.
6. Enable WatchGuard's Threat Detection and Response (TDR) for post-exploitation activity monitoring on patched appliances.