CISA has added a critical WatchGuard Fireware flaw (CVE-2025-9242, CVSS 9.3) to its Known Exploited Vulnerabilities catalog following evidence of active attacks. The bug enables remote unauthenticated code execution on Firebox devices, with more than 54,300 systems worldwide still exposed despite available patches.
On November 13, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) officially included CVE-2025-9242 in its KEV catalog. The flaw affects Fireware OS versions 11.10.2–11.12.4_Update1, 12.0–12.11.3, and 2025.1, and is classified as an out-of-bounds write vulnerability in the iked process. This allows a remote attacker with no authentication to execute arbitrary code and potentially take full control of the affected device.
According to the Shadowserver Foundation, as of November 12, 2025, more than 54,300 Firebox devices accessible online remain vulnerable — a decrease from 75,955 recorded on October 19. The U.S. accounts for roughly 18,500 devices, followed by Italy (5,400), the U.K. (4,000), Germany (3,600), and Canada (3,000). U.S. Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply WatchGuard’s patches no later than December 3, 2025.
The vulnerability was initially detailed by watchTowr Labs last month. Researchers identified that the flaw stems from a missing length check on an identification buffer used during the IKE handshake. While the server does perform certificate validation, that validation occurs only after the vulnerable code path is executed. As a result, attackers can reach the flaw before authentication, enabling pre-auth exploitation through crafted IKE traffic.
CISA also added two more vulnerabilities to the KEV catalog: CVE-2025-62215 (CVSS 7.0) in the Windows kernel and CVE-2025-12480 (CVSS 9.1) in Gladinet Triofox, tied to improper access control. Google’s Mandiant Threat Defense team attributes active exploitation of CVE-2025-12480 to threat actor UNC6485. Together, these additions highlight a broader trend of rapid exploitation of newly disclosed flaws across network and cloud infrastructure.
CVE-2025-9242 in WatchGuard Fireware represents a critical security risk, leaving tens of thousands of Firebox devices exposed to unauthenticated attacks. Although the number is slowly declining, the scale of exposure remains high. Organizations using Firebox appliances should urgently apply official patches, restrict external access to management interfaces, and strengthen monitoring of IKE/IPsec activity. Delayed updates significantly increase the likelihood of compromise, especially now that CISA has confirmed ongoing exploitation of the flaw.
