WatchGuard Firebox out-of-bounds write RCE (CVE-2025-9242)
Vulnerability
Summary
Hide ▲
Show ▼
WatchGuard Firebox devices are affected by CVE-2025-9242, a critical out-of-bounds write that can let a remote unauthenticated attacker execute code on vulnerable firewalls. The flaw impacts Fireware OS 11.x, 12.x, and 2025.1 when IKEv2 VPN is configured, broadening exposure across multiple appliance lines. WatchGuard has issued fixes in 12.3.1_Update3 (B722811), 12.5.13, 12.11.4, and 2025.1.1 and also published a temporary workaround for some deployments. The vendor says it is not yet exploited in the wild, but the remaining risk is serious because firewall compromise can expose internal networks and traffic.
Related Happenings
Federal civilian executive branch agency hit by network compromise
Incident
First: 24.04.2026 23:34
Last: 24.04.2026 23:34
Sources 1
About this happening:
A **federal civilian executive branch agency** was compromised in an **early September 2025** intrusion that left attackers with persistent access on **Cisco Firepower** and **Sec...
Federal civilian executive branch agency hit by network compromise
IncidentAbout this happening: A **federal civilian executive branch agency** was compromised in an **early September 2025** intrusion that left attackers with persistent access on **Cisco Firepower** and **Sec...
FIRESTARTER malware on Cisco ASA and FTD devices
Malware Activity
First: 23.04.2026 15:00
Last: 23.04.2026 15:00
Sources 1
About this happening:
CISA has published analysis of **FIRESTARTER**, a malware strain that enables **remote access and control** on **Cisco Firepower** and **Secure Firewall** devices, raising the ris...
FIRESTARTER malware on Cisco ASA and FTD devices
Malware ActivityAbout this happening: CISA has published analysis of **FIRESTARTER**, a malware strain that enables **remote access and control** on **Cisco Firepower** and **Secure Firewall** devices, raising the ris...
Latest development: 24.04.2026 23:34
CISA, NCSC-UK, and Cisco detailed Firestarter persistence on Cisco Firepower and Secure Firewall devices running ASA or FTD software, attributing the backdoor to UAT-4356 and linking the activity to ArcaneDoor. The malware modifies CSP_MOUNT_LIST, stores a copy in /opt/cisco/platform/logs/var/log/svc_samcore.log, restores itself to /usr/bin/lina_cs, and relaunches after termination or reboot; Cisco recommends reimaging and upgrading to fixed releases, or using a cold restart only if reimaging is not possible.
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation Wave
First: 20.02.2026 23:07
Last: 20.02.2026 23:07
Sources 1
About this happening:
**CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation WaveAbout this happening: **CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
BeyondTrust Remote Support and Privileged Remote Access CVE-2026-1731 active exploitation wave
Exploitation Wave
First: 12.02.2026 23:34
Last: 12.02.2026 23:34
Sources 1
About this happening:
**CVE-2026-1731** in **BeyondTrust Remote Support** and **Privileged Remote Access** is now seeing **first in-the-wild exploitation**, putting exposed appliances at risk of remote...
BeyondTrust Remote Support and Privileged Remote Access CVE-2026-1731 active exploitation wave
Exploitation WaveAbout this happening: **CVE-2026-1731** in **BeyondTrust Remote Support** and **Privileged Remote Access** is now seeing **first in-the-wild exploitation**, putting exposed appliances at risk of remote...
Fireware OS out-of-bounds write security flaw (CVE-2025-14733)
Vulnerability
First: 19.12.2025 13:23
Last: 19.12.2025 13:23
Sources 1
About this happening:
**WatchGuard Fireware OS** contains **CVE-2025-14733**, an **out-of-bounds write** in the **iked process** that creates **remote unauthenticated code execution** risk for **IKEv2...
Fireware OS out-of-bounds write security flaw (CVE-2025-14733)
VulnerabilityAbout this happening: **WatchGuard Fireware OS** contains **CVE-2025-14733**, an **out-of-bounds write** in the **iked process** that creates **remote unauthenticated code execution** risk for **IKEv2...
Timeline
-
18.09.2025 11:23 6 articles · 8mo ago
WatchGuard discloses CVE-2025-9242 in Firebox firewalls
Initial DisclosureWatchGuard released security updates for Firebox firewalls after identifying CVE-2025-9242, a critical remote code execution vulnerability caused by an out-of-bounds write in the Fireware OS iked process. The issue affects Fireware OS 11.x, 12.x, and 2025.1 when IKEv2 VPN is configured, may still expose Firebox devices if a static-gateway Branch Office VPN remains configured, and is fixed in 12.3.1_Update3 (B722811), 12.5.13, 12.11.4, and 2025.1.1. WatchGuard also published a temporary workaround for some Branch Office VPN deployments and said the vulnerability is not yet being exploited in the wild.
Show sources
- WatchGuard warns of critical vulnerability in Firebox firewalls — www.bleepingcomputer.com — 18.09.2025 11:23
- WatchGuard warns of critical vulnerability in Firebox firewalls — www.bleepingcomputer.com — 18.09.2025 11:23
- Researchers Uncover WatchGuard VPN Bug That Could Let Attackers Take Over Devices — thehackernews.com — 17.10.2025 12:25
- Over 75,000 WatchGuard security devices vulnerable to critical RCE — www.bleepingcomputer.com — 20.10.2025 20:42
- Critical WatchGuard Fireware OS Flaw Enables Remote Code Execution — www.infosecurity-magazine.com — 21.10.2025 13:42
- CISA warns of WatchGuard firewall flaw exploited in attacks — www.bleepingcomputer.com — 13.11.2025 12:03