The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a heightened alert after confirming active exploitation of a critical security flaw impacting WatchGuard Firebox firewalls. The vulnerability, tracked as CVE-2025-9242 with a CVSS score of 9.3, has now been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, signaling its urgent priority for remediation. 

The flaw affects a wide range of Fireware OS versions, including 11.10.2 through 11.12.4_Update1, versions 12.0 through 12.11.3, and 2025.1. According to technical disclosures from watchTowr Labs, the issue originates from a missing length check in an identification buffer used during the IKE handshake. This oversight introduces an out-of-bounds write condition in the iked process—an error classified under CWE-787. 

Although the device attempts certificate validation during the handshake, that validation takes place after the vulnerable code path is executed. This design flaw allows attackers to reach and exploit the vulnerability before authentication, enabling arbitrary code execution by remote, unauthenticated users. 

The impact of exploitation goes far beyond compromising a single appliance. Because firewalls function as central defensive gateways in most networks, a successful takeover grants attackers a powerful foothold to infiltrate internal systems, intercept communications, or deploy additional malware. 

Shadowserver Foundation data illustrates the scale of the issue: as of November 12, 2025, more than 54,300 Firebox devices remained exposed worldwide. While this number has fallen from nearly 76,000 in October, a significant proportion of deployments—roughly 18,500 in the U.S. alone—are still vulnerable. Other heavily affected regions include Italy, the U.K., Germany, and Canada. 

CISA has set a December 3, 2025 remediation deadline for Federal Civilian Executive Branch (FCEB) agencies, emphasizing that the vulnerability poses an immediate and severe threat. The agency also added two other actively exploited vulnerabilities—CVE-2025-62215 affecting the Windows kernel and CVE-2025-12480 in Gladinet Triofox—to the KEV catalog. The latter has been linked to threat actor UNC6485, according to Google’s Mandiant Threat Defense team. 

Despite the confirmed exploitation of CVE-2025-9242, public details about how attackers are leveraging the flaw remain limited. Security experts warn that silence does not imply low impact; sophisticated threat groups often avoid broad campaigns to preserve operational stealth. 

 What You Should Do 

Organisations using WatchGuard Firebox devices should act immediately: 

1. Patch All Affected Devices
   Check WatchGuard’s official advisories and apply the latest security updates. This is the most effective and urgent mitigation.
2. Verify Your Inventory
   Identify every Firebox or other WatchGuard appliance in your environment. Ensure no outdated or unmanaged devices remain online.
3. Review Device Logs for Suspicious Activity
   Look for unusual IKE handshake behavior, unexpected process restarts, or configuration changes—possible indicators of compromise.
4. Strengthen Network Monitoring
   Increase visibility around perimeter devices. Deploy anomaly detection, enable detailed logging, and forward logs to a SIEM.
5. Apply Temporary Mitigations if Patching Is Not Possible
   If a device cannot be updated immediately, restrict inbound IKE/IPsec exposure, isolate the firewall segment, or temporarily remove it from service.
6. Follow CISA Requirements if You Are a Federal Agency or Contractor
   Meet the remediation deadline and comply with Binding Operational Directive (BOD) 22-01.
7. Assume Breach if You Discover an Unpatched, Publicly Exposed Device
   Given active exploitation, any vulnerable system reachable from the internet should be treated as potentially compromised.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.