The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently placed a high-severity security flaw impacting WatchGuard Fireware into its Known Exploited Vulnerabilities (KEV) catalog, a direct result of evidence confirming its active exploitation by malicious actors. This critical vulnerability is identified as CVE-2025-9242 and carries a significant CVSS score of 9.3. It is described as an out-of-bounds write vulnerability that specifically affects various versions of the Fireware OS, including 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3, and version 2025.1.
CISA formally warned in an advisory that this vulnerability resides within the operating system’s iked process on the WatchGuard Firebox appliance. The nature of the flaw is such that it “may allow a remote unauthenticated attacker to execute arbitrary code,” meaning an attacker could potentially gain control of the device without needing prior credentials. This lack of authentication requirement underscores the seriousness and accessibility of the exploit, making it a highly attractive target for threat actors targeting network infrastructure.
The technical specifics of the defect were initially published by watchTowr Labs last month. Their research indicated that the root cause of the issue is a missing length check on an identification buffer, which is processed during the Internet Key Exchange (IKE) handshake. A security researcher from the company, McCaulay Hudson, elaborated that while the server does attempt certificate validation, the critical piece of vulnerable code executes before this validation step. This timing is essential, as it allows the vulnerable code path to be reached successfully on a pre-authentication basis.
While there is currently a lack of public information detailing the specific methods or the precise scale of ongoing exploitation, the exposed attack surface remains substantial. Data collected by the Shadowserver Foundation indicates that as of November 12, 2025, more than 54,300 Firebox instances globally are still exposed to this critical bug. This number represents a notable decrease from a peak of 75,955 observed on October 19, suggesting some organizations have begun patching. Of the current vulnerable devices, approximately 18,500 are located within the United States, followed by significant concentrations in Italy (5,400), the U.K. (4,000), Germany (3,600), and Canada (3,000).
This addition to the KEV catalog coincides with CISA also adding two other significant security issues. The first is CVE-2025-62215 (CVSS score: 7.0), a recently disclosed flaw affecting the Windows kernel. The second is CVE-2025-12480 (CVSS score: 9.1), an improper access control vulnerability identified in the Gladinet Triofox platform. In this latter case, Mandiant Threat Defense team, a part of Google, has specifically attributed its exploitation to an identified threat actor designated as UNC6485. Due to the high risk associated with all KEV entries, Federal Civilian Executive Branch (FCEB) agencies have been given a mandatory deadline of December 3, 2025, to implement WatchGuard’s available patches.
Reference:
