Cybersecurity researchers have detailed a critical security flaw recently patched in WatchGuard Fireware that could allow unauthenticated attackers to execute arbitrary code.
This vulnerability is tracked as CVE-2025-9242 (CVSS score: 9.3) and is described as an out-of-bounds write vulnerability affecting Fireware OS 11.10.2 and later 11.12.4_Update1, 12.0 and later 12.11.3, and 2025.1.
“An out-of-bounds write vulnerability in the iked process in WatchGuard Fireware OS could allow a remote, unauthenticated attacker to execute arbitrary code,” WatchGuard said in an advisory released last month. “This vulnerability affects both mobile user VPNs using IKEv2 and branch office VPNs using IKEv2 when configured with dynamic gateway peers.”
This issue has been resolved in the following versions:
2025.1 – Fixed in 2025.1.1 12.x – Fixed in 12.11.4 12.3.1 (FIPS certified release) – Fixed in 12.3.1_Update3 (B722811) 12.5.x (T15 and T35 models) – Fixed in 12.5.13) 11.x – End of support reached
A new analysis from watchTowr Labs describes CVE-2025-9242 as having “all the hallmarks that friendly neighborhood ransomware gangs love to see,” including the fact that it affects internet-facing services, can be exploited without authentication, and can execute arbitrary code on perimeter appliances.
According to security researcher McCaulay Hudson, the vulnerability is rooted in a function “ike2_ProcessPayload_CERT” located in the file “src/ike/iked/v2/ike2_payload_cert.c”, which is designed to copy the client’s “identity” into a 520-byte local stack buffer and validate the provided client SSL certificate.
The issue is caused by a missing identity buffer length check, which allows an attacker to cause an overflow and enable remote code execution during the IKE_SA_AUTH phase of the handshake process used to establish a virtual private network (VPN) tunnel between a client and WatchGuard’s VPN service via the IKE key management protocol.
“The server attempts to validate the certificate, but that validation happens after the vulnerable code has executed, allowing the path of the vulnerable code to be reached before authentication,” Hudson said.
WatchTowr noted that while the WatchGuard Fireware OS does not have an interactive shell such as “/bin/bash”, an attacker could weaponize this flaw to gain control of the instruction pointer register (aka RIP or program counter) and ultimately leverage the mprotect() system call to spawn a Python interactive shell over TCP, effectively bypassing the NX bit (aka the no-execute bit). mitigation measures.
Once you have a remote Python shell, you can further expand your foothold through a multi-step process to get a full Linux shell.
Run execve directly within Python to remount the filesystem as read/write Download the BusyBox busybox binaries to the target Symlink /bin/sh to the BusyBox binaries
This development comes amidst watchTowr’s demonstration that a now-fixed denial of service (DoS) vulnerability (CVE-2025-3600, CVSS score: 7.5) affecting the Progress Telerik UI for AJAX could also allow remote code execution, depending on the targeted environment. This vulnerability was resolved by Progress Software on April 30, 2025.
“Depending on the target codebase, such as the presence of certain no-argument constructors, finalizers, or unsafe assembly resolvers, the impact could extend to remote code execution,” security researcher Piotr Bajdro said.
Earlier this month, Watchtower’s Sina Kheirkhah also disclosed a critical pre-authenticated command injection flaw in Dell UnityVSA (CVE-2025-36604, CVSS score: 9.8/7.3) that could lead to remote command execution. Dell fixed this vulnerability in July 2025 after making a responsible disclosure on March 28th.
Source link
