A critical vulnerability in WatchGuard Fireware OS, identified as CVE-2025-9242, is actively being exploited by attackers, posing a significant threat to organizations using the affected systems. This flaw, which has been assigned a CVSS score of 9.8, allows remote unauthenticated attackers to execute arbitrary code, potentially leading to full system compromise.
The vulnerability is an out-of-bounds write issue, categorized under CWE-787, and impacts both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer. This configuration is common in many enterprise environments, making the scope of potential impact quite broad.
CVE-2025-9242 was published on September 17, 2025, and has since been added to CISA's Known Exploited Vulnerabilities (KEV) catalog as of November 12, 2025. The vulnerability's exploitation in the wild was detected within 33 days of its disclosure, underscoring the urgency for organizations to address this issue promptly.
A proof-of-concept (PoC) exploit is available, which further increases the risk of exploitation as it lowers the barrier for attackers to leverage this vulnerability. The Exploit Prediction Scoring System (EPSS) for this vulnerability is 0.690, indicating a high likelihood of exploitation.
Organizations using WatchGuard Fireware OS should immediately review their VPN configurations and apply any available patches or mitigations provided by WatchGuard. The SSVC decision tree categorizes this vulnerability as "act," suggesting that immediate action is necessary to mitigate potential risks.
Given the critical nature of this vulnerability and its active exploitation, it is imperative for security teams to prioritize patching and ensure that their systems are not configured in a manner that exposes them to this threat. Regularly updating systems and monitoring for unusual activity can help mitigate the risks associated with this and similar vulnerabilities.
CSURFACE