CVE-2025-9242 – An out-of-bounds write vulnerability in WatchGu... (How to Fix)

Q: What is the severity of CVE-2025-9242?

CVE-2025-9242 has a CVSS score of 9.8 (CRITICAL). An out-of-bounds write vulnerability in WatchGuard Fireware OS allows remote unauthenticated attackers to execute arbitrary code on affected systems. This affects Mobile User VPN and Branch Office VPN configurations using IKEv2 with dynamic gateway peers. Organizations running vulnerable Fireware OS versions are at risk of complete system compromise.

📋 TL;DR

An out-of-bounds write vulnerability in WatchGuard Fireware OS allows remote unauthenticated attackers to execute arbitrary code on affected systems. This affects Mobile User VPN and Branch Office VPN configurations using IKEv2 with dynamic gateway peers. Organizations running vulnerable Fireware OS versions are at risk of complete system compromise.

💻 Affected Systems

Products:

WatchGuard Fireware OS

Versions: Fireware OS 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.3, and 2025.1

Operating Systems: Fireware OS

Default Config Vulnerable: ✅ No

Notes: Only affects Mobile User VPN with IKEv2 and Branch Office VPN using IKEv2 when configured with dynamic gateway peer. Static gateway configurations are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker gains full control of the firewall, enabling data exfiltration, network pivoting, and persistent backdoor installation.

🟠

Likely Case

Attacker executes arbitrary code with firewall privileges, potentially intercepting VPN traffic, modifying firewall rules, or deploying ransomware.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to the firewall device itself, though credential theft and lateral movement remain possible.

🌐 Internet-Facing: HIGH - Vulnerability is remotely exploitable without authentication and affects VPN services typically exposed to the internet.

🏢 Internal Only: MEDIUM - Lower risk if VPN services are not internet-facing, but still exploitable from internal networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available on GitHub, and CISA confirms active exploitation in the wild. Attack requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fireware OS 11.12.5, 12.11.4, and 2025.2

Vendor Advisory: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015

Restart Required: Yes

Instructions:

1. Download the appropriate patched version from WatchGuard support portal. 2. Backup current configuration. 3. Apply the update through the Web UI or CLI. 4. Reboot the firewall to complete installation.

🔧 Temporary Workarounds

Disable IKEv2 VPN with dynamic gateway

all

Temporarily disable vulnerable VPN configurations until patching can be completed

Configure VPN settings to use static gateway or disable IKEv2 VPN services

Network segmentation and access control

all

Restrict access to VPN services to trusted IP ranges only

Add firewall rules to limit VPN access to specific source IP addresses

🧯 If You Can't Patch

Isolate affected firewalls from critical network segments using VLANs or physical segmentation
Implement strict network monitoring and alerting for suspicious VPN connection attempts

🔍 How to Verify

Check if Vulnerable:

Check Fireware OS version and verify if Mobile User VPN or Branch Office VPN with IKEv2 and dynamic gateway peer is configured

Check Version:

From CLI: show version | include Fireware

Verify Fix Applied:

Verify Fireware OS version is 11.12.5, 12.11.4, 2025.2 or later, and confirm VPN services are functioning normally

📡 Detection & Monitoring

Log Indicators:

Unusual VPN connection attempts, especially from unexpected IP addresses
Firewall process crashes or restarts
Unauthorized configuration changes

Network Indicators:

Suspicious IKEv2 negotiation patterns
Unexpected outbound connections from firewall
Anomalous VPN traffic volumes

SIEM Query:

source="firewall.log" AND ("IKEv2" OR "VPN") AND ("crash" OR "buffer" OR "overflow")

📊 Metadata

CVE ID: CVE-2025-9242

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

EPSS Score: 61.61% exploit probability (98.3th percentile)

CISA KEV: Actively Exploited added Nov 12, 2025

Published: September 17, 2025

Last Updated: November 14, 2025

🔗 References

https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015 Vendor Advisory
https://github.com/watchtowrlabs/watchTowr-vs-WatchGuard-CVE-2025-9242/blob/main/watchTowr-vs-WatchGuard-CVE-2025-9242.py Exploit
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-9242 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9242, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Fireware by Watchguard

Fireware by Watchguard

Fireware by Watchguard

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable IKEv2 VPN with dynamic gateway

Network segmentation and access control

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities