The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting WatchGuard Fireware to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The vulnerability in question is CVE-2025-9242 (CVSS score: 9.3), an out-of-bounds write vulnerability affecting Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1. It was patched by WatchGuard in September.
“WatchGuard Firebox contains an out-of-bounds write vulnerability in the OS iked process that may allow a remote unauthenticated attacker to execute arbitrary code,” CISA said in an advisory.
Details of the vulnerability were shared by watchTowr Labs last month, with the cybersecurity company stating that the issue stems from a missing length check on an identification buffer used during the IKE handshake process.
“The server does attempt certificate validation, but that validation happens after the vulnerable code runs, allowing our vulnerable code path to be reachable pre-authentication,” security researcher McCaulay Hudson noted.
In an update to its advisory on October 21, 2025, WatchGuard said it has evidence suggesting active exploitation of the flaw, sharing three indicators of compromise (IoCs) associated with the activity –
- An IKE_AUTH request log message with an abnormally large IKE_AUTH request IDi payload greater than 100 bytes
- During a successful exploit, the iked process will hang, interrupting VPN connections
- After a failed or successful exploit, the iked process will crash and generate a fault report on the Firebox
According to data from the Shadowserver Foundation, more than 54,300 Firebox instances remain vulnerable to the critical bug as of November 12, 2025, down from a high of 75,955 on October 19.
 |
| Number of exposed WatchGuard Firebox instances |
Roughly 18,500 of these devices are in the U.S., the scans reveal. Italy (5,400), the U.K. (4,000), Germany (3,600), and Canada (3,000) round up the top five. Federal Civilian Executive Branch (FCEB) agencies are advised to apply WatchGuard’s patches by December 3, 2025.
The development comes as CISA also added CVE-2025-62215 (CVSS score: 7.0), a recently disclosed flaw in Windows kernel, and CVE-2025-12480 (CVSS score: 9.1), an improper access control vulnerability in Gladinet Triofox, to the KEV catalog. Google’s Mandiant Threat Defense team has attributed the exploitation of CVE-2025-12480 to a threat actor it tracks as UNC6485.
(The story was updated after publication to include information from WatchGuard confirming active exploitation efforts.)
