Cyber Resilience

CVE-2025-9242

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 17 September 2025

Published
17 September 2025
Modified
14 November 2025
KEV Added
12 November 2025
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.7859 99.1th percentile
Risk Priority 86 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9242 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Watchguard Fireware. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

An Out-of-bounds Write vulnerability, tracked as CVE-2025-9242 and assigned CWE-787, exists in WatchGuard Fireware OS. The flaw affects the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer. Impacted versions include Fireware OS 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.3, and 2025.1. It carries a CVSS 4.0 score of 9.3, reflecting network-accessible conditions with no required authentication or user interaction.

A remote unauthenticated attacker can send specially crafted IKEv2 traffic to trigger the out-of-bounds write and execute arbitrary code on the affected appliance, resulting in full compromise of confidentiality, integrity, and availability.

The vendor advisory at https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015 details mitigation steps, including available patches. The issue is also tracked in the CISA Known Exploited Vulnerabilities catalog. A public proof-of-concept exploit script has been published on GitHub. The EPSS score stands at 0.7859 with a recorded peak of 0.7901.

EU & UK References

Vulnerability details

An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic…

more

gateway peer.This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.

CWE(s)
KEV Date Added
12 November 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Out-of-bounds write enabling remote unauthenticated RCE on exposed IKEv2 VPN services directly maps to exploitation of a public-facing network device application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-14733Same product: Watchguard Firebox M270both on KEV
CVE-2026-3342Same product: Watchguard Firebox M270
CVE-2025-0282Shared CWE-787both on KEV
CVE-2025-25742Shared CWE-787
CVE-2025-21042Shared CWE-787both on KEV
CVE-2026-21897Shared CWE-787
CVE-2024-57704Shared CWE-787
CVE-2024-57579Shared CWE-787
CVE-2024-57581Shared CWE-787
CVE-2026-0114Shared CWE-787

Affected Assets

watchguard
fireware
2025.1 · 11.10.2 — 12.11.4 · 11.10.2 — 12.5.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of flaws like the out-of-bounds write in WatchGuard Fireware OS IKEv2 processing to prevent remote unauthenticated code execution.

detect

Mandates vulnerability scanning to identify systems running affected Fireware OS versions exposed to CVE-2025-9242 exploitation.

prevent

Requires receiving and acting on security alerts and advisories, such as CISA KEV listing for CVE-2025-9242, to initiate patching of vulnerable VPN configurations.

References