WatchGuard Technologies has identified a critical security flaw in its Fireware operating system, designated as CVE-2025-9242. This vulnerability, with a CVSS 4.0 score of 9.3, allows remote, unauthenticated attackers to execute arbitrary code via IKEv2 VPN connections. The issue affects Fireware OS versions from 11.10.2 to 11.12.4_Update1, 12.0 to 12.11.3, and 2025.1, posing significant risks to numerous small and midsize enterprises.
Technical Details:
The vulnerability resides in the IKE process of Fireware OS, responsible for handling IKEv2 negotiations for mobile users and branch office VPNs configured with dynamic gateway peers. An attacker can exploit this flaw by sending specially crafted IKE_SA_INIT and IKE_SA_AUTH packets, leading to an out-of-bounds write in the `ike2_ProcessPayload_CERT` function. This occurs when attacker-controlled identification data overflows a 520-byte stack buffer without adequate bounds checking.
Even if vulnerable VPN configurations have been deleted, residual vulnerabilities may persist if static peers remain active, allowing pre-authentication access over UDP port 500. Security researchers at WatchTowr Labs, crediting btaol for the discovery, reverse-engineered the code by comparing vulnerable version 12.11.3 with the patched 12.11.4, revealing that the fix involved a simple length check addition.
This stack-based buffer overflow vulnerability, a primitive dating back to 1996, persists in 2025 enterprise equipment lacking modern mitigations like Position Independent Executables (PIE) or stack canaries, although Non-Executable (NX) protections are enabled.
Exploitation Methodology:
Exploiting CVE-2025-9242 involves several steps:
1. Firmware Version Fingerprinting: Attackers can determine the firmware version by sending a custom Vendor ID payload in IKE_SA_INIT responses, which embeds base64-encoded details like VN=12.11.3 BN=719894 for easy identification.
2. Negotiation of Cryptographic Transforms: Attackers negotiate cryptographic transforms such as AES-256 and Diffie-Hellman Group 14.
3. Payload Delivery: An oversized identification payload is sent in the IKE_SA_AUTH phase, corrupting registers and hijacking control flow, leading to a segmentation fault or the execution of a Return-Oriented Programming (ROP) chain.
WatchTowr Labs demonstrated remote code execution by chaining gadgets to invoke `mprotect` for stack execution, deploying reverse TCP shellcode that spawns a root Python interpreter. This could potentially enable filesystem remounts or the download of BusyBox for full shell access.
Potential Impact:
Firebox devices often serve as the internet-facing boundary for organizations, amplifying the risks associated with this vulnerability. A successful breach could allow attackers to pivot to internal networks, exfiltrate data, or establish persistent backdoors in environments lacking robust segmentation.
Mitigation Measures:
WatchGuard has addressed the issue in the following updated releases:
– 2025.1.1 for the 2025 branch
– 12.11.4 for the 12.x series
– 12.5.13 for T15/T35 models
– 12.3.1_Update3 for the FIPS-certified 12.3.1
Note that the 11.x series is now end-of-life. Affected products include Firebox families such as the T20 to M690 series, Cloud, and NV5/V models.
As a temporary workaround, organizations should secure IPSec/IKEv2 branch office VPNs according to WatchGuard’s knowledge base article on access controls, disabling unnecessary IKEv2 configurations if possible.
While no in-the-wild exploits have been confirmed yet, the unauthenticated nature of this vulnerability and the detailed public analysis increase the urgency for remediation. Users are advised to monitor logs for anomalous IKE traffic and apply patches promptly to safeguard VPN concentrators serving as critical gateways.
Conclusion:
The disclosure of CVE-2025-9242 underscores the importance of timely patch management and vigilant monitoring of network infrastructure. Organizations utilizing WatchGuard Firebox appliances should prioritize updating their systems to the latest firmware versions to mitigate potential threats.
