CVE-2025-9242
Published: 17 September 2025
Summary
CVE-2025-9242 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Watchguard Fireware. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
An Out-of-bounds Write vulnerability, tracked as CVE-2025-9242 and assigned CWE-787, exists in WatchGuard Fireware OS. The flaw affects the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer. Impacted versions include Fireware OS 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.3, and 2025.1. It carries a CVSS 4.0 score of 9.3, reflecting network-accessible conditions with no required authentication or user interaction.
A remote unauthenticated attacker can send specially crafted IKEv2 traffic to trigger the out-of-bounds write and execute arbitrary code on the affected appliance, resulting in full compromise of confidentiality, integrity, and availability.
The vendor advisory at https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015 details mitigation steps, including available patches. The issue is also tracked in the CISA Known Exploited Vulnerabilities catalog. A public proof-of-concept exploit script has been published on GitHub. The EPSS score stands at 0.7859 with a recorded peak of 0.7901.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-29699
Vulnerability details
An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic…
more
gateway peer.This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.
- CWE(s)
- KEV Date Added
- 12 November 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write enabling remote unauthenticated RCE on exposed IKEv2 VPN services directly maps to exploitation of a public-facing network device application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification, reporting, and correction of flaws like the out-of-bounds write in WatchGuard Fireware OS IKEv2 processing to prevent remote unauthenticated code execution.
Mandates vulnerability scanning to identify systems running affected Fireware OS versions exposed to CVE-2025-9242 exploitation.
Requires receiving and acting on security alerts and advisories, such as CISA KEV listing for CVE-2025-9242, to initiate patching of vulnerable VPN configurations.