Executive Summary

A critical vulnerability in WatchGuard's Fireware OS—tracked as CVE-2025-9242 and assigned a CVSS score of 9.3—has been uncovered by security researchers, enabling unauthenticated remote attackers to execute arbitrary code and potentially take full control of affected devices. The flaw resides in the IKEv2 VPN implementation and is particularly dangerous due to its pre-authentication attack vector, meaning attackers do not require valid credentials to exploit it. This vulnerability is especially concerning for organizations relying on WatchGuard Firebox appliances as perimeter security devices, as it could facilitate network breaches, ransomware deployment, and persistent access by advanced threat actors. This advisory provides a comprehensive technical breakdown, exploitation scenarios, threat actor context, affected product versions, and actionable mitigation guidance, all based on publicly available, verified sources.

Threat Actor Profile

No specific APT group has been publicly attributed to active exploitation of CVE-2025-9242 as of this report. However, the vulnerability is considered highly valuable for both ransomware operators and state-sponsored actors targeting network infrastructure. The Russian APT group Sandworm has a documented history of targeting WatchGuard appliances, notably using them to construct the Cyclops Blink botnet, which primarily targeted Western organizations, including critical infrastructure and enterprise sectors. The technical characteristics of CVE-2025-9242—pre-authentication, remote code execution, and exposure on perimeter devices—make it an ideal target for similar APTs and ransomware gangs. Security researchers have explicitly warned that the bug "has all the characteristics your friendly neighbourhood ransomware gangs love to see," and it is likely to be incorporated into attack toolkits in the near future.

Technical Analysis of Malware/TTPs

The vulnerability, CVE-2025-9242, is an out-of-bounds write in the iked process, which is the IKEv2 VPN daemon within WatchGuard Fireware OS. The root cause is a lack of proper length validation in the function ike2_ProcessPayload_CERT (located in src/ike/iked/v2/ike2_payload_cert.c). During the IKE_SA_AUTH phase of the VPN handshake, the code copies a client-supplied "identification" payload into a fixed 520-byte stack buffer without adequate bounds checking. This oversight allows a remote attacker to send a specially crafted IKEv2 packet with an oversized payload, resulting in a stack buffer overflow before any authentication or certificate validation occurs.

The attack vector is network-based and does not require any credentials, making it a pre-authentication remote code execution (RCE) vulnerability. The exploit chain begins with the attacker sending a malicious IKEv2 packet to the VPN endpoint. The vulnerable code path is triggered, allowing the attacker to overwrite the instruction pointer (RIP) and hijack execution flow. By leveraging the mprotect() system call, the attacker can bypass no-execute (NX) memory protections and spawn a remote Python shell over TCP. Post-exploitation, the attacker can escalate privileges to a full Linux shell by remounting the filesystem as read/write, downloading a BusyBox binary, and symlinking /bin/sh to BusyBox.

The vulnerability affects devices configured for mobile user VPN with IKEv2, branch office VPN using IKEv2 with dynamic gateway peer, and even devices where such configurations have been deleted if a static gateway peer remains. The flaw is present in multiple versions of Fireware OS and across a broad range of Firebox models, including both physical and virtual appliances.

Proof-of-concept (PoC) code and detailed technical analyses have been published by watchTowr Labs and security researcher McCaulay Hudson, demonstrating the exploitability and post-exploitation steps. The vulnerability is considered highly attractive to both ransomware operators and state-sponsored advanced persistent threat (APT) groups due to its ease of exploitation, exposure on perimeter devices, and potential for full device compromise.

Exploitation in the Wild

As of the latest public reporting, there is no confirmed evidence of mass exploitation of CVE-2025-9242 in the wild. However, the vulnerability is under active discussion in the security research community, and its characteristics make it a prime candidate for rapid weaponization. Security vendors and researchers have issued urgent advisories, warning that the flaw is likely to be targeted by threat actors seeking to compromise enterprise networks, deploy ransomware, or establish persistent access for espionage.

Historical context underscores the risk: WatchGuard appliances have previously been targeted by sophisticated threat actors, including the Russian state-sponsored Sandworm group, which leveraged similar vulnerabilities to build the Cyclops Blink botnet. Given the pre-authentication nature of the bug and its presence on internet-exposed VPN endpoints, organizations should assume that exploitation attempts are imminent and act with urgency.

Indicators of compromise (IOCs) associated with exploitation include unusual VPN connections from unfamiliar IP addresses (especially using IKEv2), unexpected processes such as Python shells or BusyBox binaries running on Firebox appliances, outbound connections from the device to attacker-controlled infrastructure, and filesystem changes such as remounts or new binaries appearing in /tmp or /var.

Victimology and Targeting

The vulnerability is especially concerning for organizations relying on WatchGuard Firebox appliances as perimeter security devices, as it could facilitate network breaches, ransomware deployment, and persistent access by advanced threat actors. Sectors at risk include government, critical infrastructure, finance, healthcare, and large enterprises globally. Historical APT activity (e.g., Sandworm) has targeted Western organizations, including critical infrastructure and enterprise sectors.

Mitigation and Countermeasures

Immediate patching to the latest available Fireware OS versions is the most effective mitigation. Organizations should upgrade to 2025.1.1, 12.11.4, 12.5.13 (for T15 and T35), or 12.3.1_Update3 (FIPS-certified) as appropriate for their device model. Devices running the 11.x branch should be considered end-of-life and replaced or isolated.

If patching is not immediately possible, organizations should remove all dynamic gateway peer configurations and follow WatchGuard’s official guidance for securing branch office VPNs that use IPSec and IKEv2. Restricting VPN access to trusted IP addresses can reduce exposure, and administrators should ensure that management interfaces are not exposed to the internet.

Continuous monitoring for indicators of compromise is essential. Security teams should look for unusual VPN activity, unexpected processes (such as Python shells or BusyBox binaries), outbound connections to unfamiliar destinations, and unauthorized filesystem changes. Implementing network segmentation and least-privilege access controls can further limit the impact of a potential breach.

References

WatchGuard Official Advisory (WGSA-2025-00015), NVD Entry for CVE-2025-9242, watchTowr Labs analysis, The Hacker News: Researchers Uncover WatchGuard VPN Bug, PortSwigger: WatchGuard firewall exploit threatens appliance takeover, McCaulay Hudson (researcher) Twitter.

About Rescana

Rescana is committed to helping organizations manage and mitigate third-party cyber risk. Our TPRM platform provides continuous monitoring, automated risk assessment, and actionable intelligence to help you stay ahead of emerging threats. While this advisory focuses on a specific vulnerability in WatchGuard products, our platform is designed to give you visibility and control over your entire third-party ecosystem, ensuring you can respond rapidly to new vulnerabilities and evolving attack techniques.

If you have any questions about this advisory or need assistance with your cybersecurity posture, we are happy to help at ops@rescana.com.