WatchGuard has disclosed a critical out-of-bounds write vulnerability in its Fireware OS that allows unauthenticated remote attackers to execute arbitrary code simply by sending specially crafted IKEv2 VPN connections.
High-Impact Flaw in Firebox Appliances
The vulnerability, tracked as CVE-2025-9242 and rated 9.3 in severity, poses a high risk to the thousands of small and midsize enterprises that use WatchGuard Firebox appliances as their perimeter defenses. The flaw affects numerous Fireware OS versions across the 11.x, 12.x, and 2025 branches. WatchGuard, which protects over 250,000 organizations, is urging customers to patch immediately to mitigate the threat of ransomware and other malicious intrusions.
The vulnerability resides within the IKE process, which handles IKEv2 negotiations for both mobile users and branch office VPNs. An attacker can send crafted packets to trigger an out-of-bounds write in the ike2_ProcessPayload_CERT function. This flaw allows attacker-controlled identification data to overflow a stack buffer, effectively hijacking control flow. Even if a VPN configuration is deleted, residual vulnerabilities may remain if static peers are active, granting pre-authentication access over UDP port 500.
Technical Analysis and Exploitation
Security researchers at WatchTowr Labs reverse-engineered the code and found that the stack-based buffer overflow, a vulnerability dating back decades, persists due to the lack of modern mitigations like PIE or stack canaries in the appliance's software.
Exploitation involves first fingerprinting the device’s firmware version using a custom Vendor ID payload. Attackers then negotiate specific cryptographic transforms before sending an oversized identification payload in the IKE_SA_AUTH request. This corrupts registers and allows an attacker to chain commands, ultimately enabling remote code execution. WatchTowr demonstrated this by deploying a reverse TCP shellcode that grants full root shell access to the device.
Mitigations
WatchGuard has resolved the issue in new firmware releases, including 2025.1.1 for the latest branch and 12.11.4 for the 12.x branch. Since many affected products, like the Firebox T20 and M690 series, serve as the internet-facing boundary, a breach could allow attackers to pivot easily into the internal network.
As a temporary workaround, organizations should secure their IPSec/IKEv2 branch office VPNs using strict access controls and disable IKEv2 entirely if it is not required for business operations. While no in-the-wild exploits have been confirmed yet, the detailed public analysis and unauthenticated nature of the attack make prompt patching essential.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
