17.10.2025
2 min
537
Cybersecurity researchers have reported a critical vulnerability in WatchGuard Fireware OS that could allow attackers to execute arbitrary code and take control of devices without authentication. The vulnerability, CVE-2025-9242, which has a CVSS rating of 9.3, has been patched, but experts call it “a perfect find for ransomware groups.” The issue affected several versions of WatchGuard Fireware OS — from 11.10.2 to 11.12.4_Update1, as well as branches 12.0–12.11.3 and 2025.1. The error occurred in the iked process, which is responsible for establishing VPN connections using the IKEv2 protocol.
The vulnerability originates from the ike2_ProcessPayload_CERT function in the *ike2_payload_cert.c* file. This is where the client identification data was copied to an internal buffer without checking the length. This allowed an attacker to send a specially crafted request and cause a buffer overflow, opening the way for arbitrary code execution even before the certificate was validated.
Although Fireware does not have an interactive shell, researchers from watchTowr Labs have demonstrated that an attacker can capture the instruction pointer (RIP), bypass NX protection via a call to mprotect(), and create a Python shell over TCP. From there, it is already possible to:
execute execve in Python to remount the file system in write mode;
load BusyBox onto the device;
create a symbolic link /bin/sh, providing full access to the Linux environment.
WatchGuard has fixed the bug in the following versions:
2025.1.1
12.11.4
12.3.1_Update3 (FIPS)
12.5.13 (T15/T35)
Version 11.x has been declared End of Life (EOL).
According to experts, this vulnerability is a prime example of a typical risk for corporate VPN systems. Its characteristic features — remote exploitation without authorization, direct access from the Internet, and high potential for complete device capture — make it attractive to ransomware groups.
WatchGuard Fireware OS is used by thousands of organizations around the world, including financial institutions, government agencies, and large companies. Therefore, even a short delay in updating could lead to mass infections.
In addition, watchTowr Labs reported other fixed issues:
Together, these findings highlight the scale of the problem — even leading enterprise software vendors remain vulnerable due to small buffer length checking errors or incorrect processing of client data. The WatchGuard Fireware case is another reminder that timely updates of VPN devices and firewalls are critical for any organization. Experts advise checking Fireware OS versions, installing the latest updates, and restricting public access to IKEv2 services. Each such vulnerability at the network perimeter can become an entrance for a large-scale cyberattack. And even one missed patch can turn into weeks of downtime and data loss.
