CVE-2025-9242

CriticalCISA KEVActive ExploitationPublic PoC

Published: 17 September 2025

Published

17 September 2025

Modified

14 November 2025

KEV Added

12 November 2025

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.6897 98.7th percentile

Risk Priority 81 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9242 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Watchguard Fireware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely identification, reporting, and correction of flaws like the out-of-bounds write in WatchGuard Fireware OS IKEv2 processing to prevent remote unauthenticated code execution.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Mandates vulnerability scanning to identify systems running affected Fireware OS versions exposed to CVE-2025-9242 exploitation.

SI-5 Security Alerts, Advisories, and Directives partial match

prevent

Requires receiving and acting on security alerts and advisories, such as CISA KEV listing for CVE-2025-9242, to initiate patching of vulnerable VPN configurations.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Out-of-bounds write enabling remote unauthenticated RCE on exposed IKEv2 VPN services directly maps to exploitation of a public-facing network device application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic…

gateway peer.This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.

Deeper analysisAI

CVE-2025-9242 is an Out-of-bounds Write vulnerability (CWE-787) in WatchGuard Fireware OS, assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). It affects the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer. The vulnerability impacts Fireware OS versions 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3, and 2025.1, potentially allowing a remote unauthenticated attacker to execute arbitrary code.

A remote unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required. Successful exploitation enables arbitrary code execution on the firewall device, resulting in high impacts to confidentiality, integrity, and availability.

WatchGuard's PSIRT advisory (WGSAR-2025-00015) details the issue and mitigation steps. The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, and a proof-of-concept exploit script is publicly available on GitHub from watchtowrlabs.

This vulnerability has seen real-world exploitation as indicated by its inclusion in CISA's catalog, underscoring the urgency for affected organizations to patch immediately.