In September 2025, WatchGuard disclosed a critical vulnerability in its Fireware OS labeled CVE-2025-9242, which affects the IKEv2 component of its VPN infrastructure. The flaw is an out-of-bounds write in the iked process and may permit a remote unauthenticated attacker to execute arbitrary code.
What makes this bug especially troubling is that it affects both mobile user VPNs using IKEv2 and branch office VPNs configured in certain gateway modes.
This article dives into the technical details, risk to users and enterprises, mitigation strategies, and the broader lessons this vulnerability holds for VPN security.
Technical Overview & Attack Surface
The Vulnerability: Out-of-Bounds Write in iked
The bug resides in the IKE daemon (iked), which handles IKEv2 VPN negotiations. During the IKE_SA_AUTH phase, WatchGuard’s implementation processes certificate payloads and client identification data. Researchers found that the code copies client identification into a fixed 520-byte buffer on the stack without proper length checks. That missing bound check enables an attacker to overflow the buffer, corrupt adjacent memory, and hijack control flow.
Even though certificate validation happens later in the logic, the overflow occurs pre-authentication, meaning an attacker doesn’t need valid credentials to exploit it.
WatchTowr’s analysis describes possible escalation: by controlling the instruction pointer, attackers could invoke mprotect() to disable memory execution protections (NX bit), and establish interactive shells over TCP — despite the Firebox OS lacking a classic shell interpreter like /bin/bash.
Affected Configurations & Surprising Persistence
The vulnerability is only viable if the device is (or was) configured for IKEv2 in certain modes. Specifically, mobile user VPN using IKEv2 and branch office VPNs with IKEv2 when configured with a dynamic gateway peer are directly affected.
Alarmingly, even if you remove those configurations, the device may remain vulnerable if a branch office VPN to a static gateway peer is still set.
The Fireware OS versions impacted include:
11.10.2 up to 11.12.4_Update1
12.0 up to 12.11.3
2025.1
Patches have been released in:
12.3.1_Update3 (FIPS build)
12.5.13 (for T15 & T35)
12.11.4
2025.1.1
The flaw carries a CVSS 9.3 score, underlining its severity for perimeter security devices.
Risk & Consequences
Why Attackers Would Target It
Internet-exposed interface: The IKEv2 service is often exposed to the internet on firewall appliances.
Pre-authentication exploit: No credentials needed.
Remote code execution: Full compromise of the firewall device.
Pivot potential: Once inside, attackers can intercept traffic, create tunnels, move laterally, or disable defenses.
Frankie Sclafani (Deepwatch) described it as:
“A CVSS 9.3 flaw in a perimeter defense appliance is the cyber equivalent of a five-alarm fire.”
MacKenzie Brown (Blackpoint Cyber) added:
“Successful exploitation can give a threat actor full control of the appliance allowing persistence, traffic interception, lateral movement, and the ability to use the device as a pivot.”
Current State of Exploitation
So far, no confirmed exploitation in the wild has been reported. WatchGuard’s advisory, CIS Advisory statements, and BleepingComputer all note that while the vulnerability is serious, evidence of active exploitation is not detected yet.
Security researchers caution that once the patch is public, attackers often pivot quickly to weaponize it against unpatched deployments.
RunZero estimates that 73,000 WatchGuard appliances remain vulnerable globally as of October 2025, with the U.S. accounting for ~24,000.
Mitigation & Response
Immediate Steps & Patching
Update Fireware OS to the fixed versions (see list above).
For EOL (11.x) versions, migrate to supported versions immediately.
Audit your VPN configurations: Identify any IKEv2 settings (mobile user VPN, branch office VPN) — both active and historical.
Workarounds (Until You Can Patch)
WatchGuard provides a mitigation path:
Disable dynamic gateway branch office VPNs
Apply firewall rules that block or restrict IKEv2 traffic
Disable default system policies handling VPN traffic
These are stopgap measures — patching remains paramount.
Detect & Contain
Log and alert on anomalous IKEv2 traffic, especially unexpected source IPs or malformed certificate payloads.
Segment and isolate firewalls from critical systems during remediation.
Monitor for signs of memory corruption or suspicious shell activity (if possible)
Long-Term Best Practices
Minimize exposed VPN protocols to internet unless absolutely needed.
Rotate all certificates, PSKs, and keys used for IKEv2 after patching.
Implement defense-in-depth: VPN firewall hardening, intrusion detection, strict access controls.
Adopt a vulnerability management cadence to reduce window of exposure.
Broader Lessons for VPN & Firewall Security
VPN stacks remain a high-value target: vulnerabilities in IKE, IPSec, or key negotiation are potent because they exist on the network perimeter.
Historical configurations matter: even removed settings (if a static VPN remains) can preserve exposure.
Pre-auth exploits are especially dangerous: requiring no credentials means attackers can hit widely and at scale.
Patch lag is a persistent risk: many firewalls are left vulnerable months after disclosures, often because organizations fear downtime or lack testing processes.
Regular audits help: ensure legacy configurations, unused services, and backup files don’t linger and expose paths.
Learn more than Free’s Mobile VPN Triggers Age-Control Backlash
Conclusion
CVE-2025-9242 in WatchGuard’s Fireware OS is a wake-up call. It’s a classic example of a deep, protocol-level flaw — an out-of-bounds write in a core VPN daemon — that allows full remote control of a firewall appliance. While no confirmed exploits are publicly known, the high CVSS score, wide affected versions, and ease of exploitation make it a top priority for any organization running WatchGuard Firebox deployments.
