WatchGuard Fireware OS IKEv2 Out-of-Bounds Vulnerability

Facebook

What is the Vulnerability?

A critical Out-of-Bounds Write vulnerability (CVE-2025-9242) exists in the WatchGuard Fireware OS iked process, which handles IKEv2 VPN connections. The flaw allows a remote, unauthenticated attacker to execute arbitrary code on affected devices.

The vulnerability impacts both:

– Mobile user VPNs using IKEv2, and

– Branch Office VPNs using IKEv2 when configured with a dynamic gateway peer.

WatchGuard has confirmed the issue is resolved in patched releases and has reported evidence of active exploitation in the wild. Additionally, public technical analysis and proof-of-concept reproduction of the flaw are available, increasing the likelihood of broader attacks.

What is the recommended Mitigation?

Install vendor patches on all affected Firebox appliances.
Rotate all locally stored secrets on vulnerable appliances (WatchGuard recommends rotating secrets due to evidence of exploitation) – passwords, shared keys, certificates stored on the Firebox,

What FortiGuard Coverage is available?

Intrusion Prevention System (IPS): FortiGuard IPS Service is available to detect and block exploit attempts targeting CVE-2025-9242.

Intrusion Prevention | FortiGuard Labs
Incident Response Service: The FortiGuard Incident Response team is available to assist with any suspected compromise.