Urgent Patch: Critical WatchGuard Firewall Flaw Exposes 76,000 Devices to RCE
A critical vulnerability in the WatchGuard Fireware operating system allows attackers to execute arbitrary code on affected devices without prior authentication. The flaw impacts VPN services using the IKEv2 protocol, both for mobile user connections and for establishing secure links between branch offices, when a dynamic gateway is configured on the device.
The vulnerability, identified as CVE-2025-9242, carries a CVSS score of 9.3 and affects multiple Fireware OS branches, including versions 11.10.2–11.12.4_Update1, 12.0–12.11.3, and 2025.1. The issue stems from the absence of proper length validation in the buffer that handles client identification data, allowing a stack overflow and the injection of malicious code during the VPN tunnel initialization phase. The flaw resides in the ike2_ProcessPayload_CERT function and can be exploited before certificate verification, meaning no authentication is required.
According to WatchTowr Labs, the vulnerability presents an ideal entry point for ransomware operators: it affects an internet-facing service, requires no credentials, and grants control over the network’s external edge device. Although Fireware lacks a standard shell such as /bin/bash, researchers demonstrated the ability to hijack the instruction pointer and launch an interactive Python interpreter via TCP. By invoking the mprotect() system call, an attacker can bypass the NX bit protection and escalate the attack further to achieve full Linux shell execution.
Privilege escalation following the Python shell compromise involves several steps: remounting the filesystem in read-write mode, uploading the BusyBox binary, and creating a symbolic link /bin/sh pointing to it. This sequence grants the attacker complete shell access to the system.
According to The Shadowserver Foundation, approximately 76,000 WatchGuard Firebox devices remain exposed on the internet and vulnerable to CVE-2025-9242. The latest scans identified around 75,955 active instances, primarily located in Europe and North America. The United States leads with roughly 24,500 vulnerable endpoints, followed by Germany (7,300), Italy (6,800), the United Kingdom (5,400), Canada (4,100), and France (2,000). Shadowserver representatives confirmed that these numbers reflect real-world deployments, not honeypot systems.
WatchGuard has addressed the flaw in versions 2025.1.1, 12.11.4, 12.3.1_Update3 (FIPS-certified build), and 12.5.13 (for T15 and T35 models). The 11.x branch is no longer supported. Vulnerabilities on the network perimeter invariably attract attackers’ attention—especially those requiring no credentials and no user interaction.
Customers are strongly urged to apply the available updates immediately. For organizations relying solely on Branch Office VPN with static gateways, a temporary hardening guide for IPSec and IKEv2 connections has been provided until patches can be installed. As of publication, no active exploitation of CVE-2025-9242 has been observed, but administrators who have not yet patched their systems are strongly advised to do so without delay.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
