Security researchers have uncovered a critical vulnerability in WatchGuard's Fireware OS, potentially allowing unauthenticated remote attackers to execute arbitrary code on affected devices. The flaw, tracked as CVE-2025-9242, poses a significant risk to businesses relying on WatchGuard VPNs for secure network access. Patches are available, and immediate action is advised.

Key Takeaways

• A critical out-of-bounds write vulnerability (CVE-2025-9242) affects WatchGuard Fireware OS.

• It allows unauthenticated remote attackers to execute arbitrary code.

• The vulnerability impacts IKEv2 VPN configurations, both for mobile users and branch offices with dynamic gateway peers.

• Patches have been released, and users are urged to update immediately.

The Vulnerability Explained

The critical security flaw, identified as CVE-2025-9242, resides within the process of WatchGuard's Fireware OS. It's an out-of-bounds write vulnerability that can be exploited by a remote, unauthenticated attacker to achieve arbitrary code execution. The vulnerability has a high CVSS score of 9.3, classifying it as critical.

This flaw specifically affects devices configured with Mobile User VPN using IKEv2 or Branch Office VPN using IKEv2 with a dynamic gateway peer. Even if these configurations have been deleted, a device can remain vulnerable if a branch office VPN to a static gateway peer is still configured.

Technical Details of the Exploit

Researchers from watchTowr Labs detailed how the vulnerability is rooted in the function. During the IKE_SA_AUTH phase of the VPN handshake, the system copies client identification data into a fixed-size stack buffer. However, a missing length check allows an attacker to send oversized data, causing a buffer overflow. This overflow can overwrite critical memory, including the instruction pointer, enabling remote code execution before any authentication occurs.

While Fireware OS doesn't have a traditional interactive shell, attackers can leverage this vulnerability to spawn a Python shell over TCP, bypass NX bit mitigations, and then escalate privileges to gain a full Linux shell. This involves remounting the filesystem as read/write, downloading a BusyBox binary, and symlinking to it.

Affected Versions and Patching

The vulnerability impacts the following Fireware OS versions:

• 11.10.2 up to and including 11.12.4_Update1

• 12.0 up to and including 12.11.3

• 2025.1

WatchGuard has released patches for these versions:

• 2025.1 is fixed in 2025.1.1

• 12.x is fixed in 12.11.4

• 12.3.1 (FIPS-certified release) is fixed in 12.3.1_Update3

• 12.5.x (T15 & T35 models) is fixed in 12.5.13

Versions 11.x have reached end-of-life and are no longer supported.

Mitigation and Recommendations

Given the critical nature of this pre-authentication remote code execution vulnerability on a perimeter security device, organizations using WatchGuard Fireware are strongly advised to upgrade their systems immediately to the patched versions. For environments where an immediate upgrade is not feasible, WatchGuard recommends temporary workarounds such as securing access to branch office VPN tunnels and restricting incoming IKEv2 traffic to known peer IP addresses through network segmentation and firewall rules.

Sources

• Researchers Uncover WatchGuard VPN Bug That Could Let Attackers Take Over Devices, The Hacker News.

• A critical WatchGuard Fireware flaw could allow unauthenticated code execution, Security Affairs.

• Critical WatchGuard Vulnerability Lets Unauthenticated Attackers Run Arbitrary Code, GBHackers News.

• WatchGuard VPN Vulnerability Allows Remote Code Execution, Cyber Press.

• WatchGuard VPN Flaw Allows Remote Attackers to Execute Arbitrary Code, GBHackers News.