Researchers have disclosed a critical out-of-bounds write vulnerability in WatchGuard Fireware OS that could allow unauthenticated attackers to execute arbitrary code.
Tracked as CVE-2025-9242 with a CVSS score of 9.3, the flaw affects multiple versions of Fireware OS and impacts both mobile user and branch office VPNs using IKEv2.
According to security researcher McCaulay Hudson, the vulnerability stems from an out-of-bounds write in the ike2_ProcessPayload_CERT function, part of the iked process, which handles client SSL certificate validation during the IKE_SA_AUTH phase of VPN establishment. By exploiting the lack of length checks on the identification buffer, an attacker can trigger a buffer overflow before certificate validation occurs.
The vulnerability impacts both mobile user VPNs using IKEv2 and branch office VPNs configured with dynamic gateways, highlighting the potential risk to exposed network endpoints.
In their advisory, published Oct. 17, WatchGuard wrote, “If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured.”
Because the flaw is reachable prior to authentication and is exposed via an Internet-facing service, it is considered highly attractive to ransomware operators.
Affected Versions and Patches
The vulnerability impacts the following Fireware OS releases:
WatchGuard has released updates to address the issue across all supported versions, and organizations are urged to apply patches immediately.
What Are Experts Saying?
Analysis from watchTowr Labs summarizes the vulnerability as having “all the characteristics your friendly neighbourhood ransomware gangs love to see.” This is due to how it could:
- Impact an Internet-exposed IKEv2 VPN service
- Be reached prior to any authentication step
- Enable remote execution of arbitrary code on the perimeter device
Hudson highlighted the technical root of the flaw, emphasizing that it occurs before certificate validation during the IKE_SA_AUTH phase. The exploit demonstrates how even a non-interactive server can be manipulated into providing a foothold for further attacks.
The Bigger Picture
CVE-2025-9242 reinforces the need for organizations to monitor VPN endpoints and apply security updates promptly. Because the flaw affects Fireware devices deployed in small and midsize enterprises globally, unpatched systems could be targeted by attackers aiming to gain early access to internal networks.
The discovery also serves as a reminder that VPNs and network perimeter devices are still very high-value targets for attackers, not only for data theft but also for potential operational disruption. Timely patching, diligent configuration review, and active monitoring are essential to mitigate risks stemming from such pre-authentication vulnerabilities.
