CISA has added CVE-2025-9242 to its Known Exploited Vulnerabilities (KEV) catalog following confirmed exploitation in the wild. This critical flaw allows unauthenticated remote code execution (RCE) via malformed IKEv2 VPN packets in WatchGuard Fireware. Continue reading this Cybersecurity Threat Advisory to learn how to mitigate risks from this vulnerability.
What is the threat?
The vulnerability resides in the iked process, which manages the IKEv2 VPN protocol for Mobile User VPN and Branch Office VPN tunnels. Specifically, the flaw occurs in the ike2_ProcessPayload_CERT function that handles the Certificate payload. The root cause is a missing length check on the identification buffer during the IKE handshake.
An attacker can exploit this by sending a crafted identification payload that exceeds the buffer, resulting in a buffer overflow. Successful exploitation could grant full control of the firewall OS—allowing rule changes, credential theft, and lateral movement within the network.
The following Fireware versions are affected:
- Fireware OS 11.10.2 through 11.12.4_Update1
- Fireware OS 12.0 through 12.11.3
- Fireware OS 2025.1
Why is it noteworthy?
Firewalls are high-value targets, often exploited by threat actors, ransomware groups, and state-sponsored actors seeking network entry, data exfiltration, or traffic interception capabilities. The high ease of exploitation makes this vulnerability a priority target.
What is the exposure or risk?
As of November 2025, about 54,000 WatchGuard Firebox instances were identified as potentially vulnerable and internet-exposed. The largest share of exposed devices is in the United States, followed by Italy, the United Kingdom, Germany, and Canada. Risks include:
- Unauthorized access to sensitive data.
- Lose access once an arbitrary code is executed and control is granted.
- Disruption or downtime of affected systems.
What are the recommendations?
Barracuda strongly recommends organizations take these additional steps to protect your environment:
- Update the Fireware OS to a fully patched version.
- Rotate all locally stored sensitive data on the vulnerable Firebox appliances as a precautionary measure against potential compromise.
- Use WatchGuard’s recommendations for Secure Access to Branch Office VPNs that Use IPSec and IKEv2 as a temporary workaround if immediate patching is not possible.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2025/11/cisa-flags-critical-watchguard-fireware.html
- https://thehackernews.com/2025/10/researchers-uncover-watchguard-vpn-bug.html
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
