The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a heightened alert after confirming active exploitation of a critical security flaw impacting WatchGuard Firebox firewalls. The vulnerability, tracked as CVE-2025-9242 with a CVSS score of 9.3, has now been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, signaling its urgent priority for remediation.
The flaw affects a wide range of Fireware OS versions, including 11.10.2 through 11.12.4_Update1, versions 12.0 through 12.11.3, and 2025.1. According to technical disclosures from watchtower Labs, the issue originates from a missing length check in an identification buffer used during the IKE handshake. This oversight introduces an out-of-bounds write condition in the iked process, an error classified under CWE-787.
Although the device attempts certificate validation during the handshake, that validation takes place after the vulnerable code path is executed. This design flaw allows attackers to reach and exploit the vulnerability before authentication, enabling arbitrary code execution by remote, unauthenticated users.
The impact of exploitation goes far beyond compromising a single appliance. Because firewalls function as central defensive gateways in most networks, a successful takeover grants attackers a powerful foothold to infiltrate internal systems, intercept communications, or deploy additional malware.
Shadowserver Foundation data illustrates the scale of the issue: as of November 12, 2025, more than 54,300 Firebox devices remained exposed worldwide. While this number has fallen from nearly 76,000 in October, a significant proportion of deployments (roughly 18,500 in the U.S. alone) are still vulnerable. Other heavily affected regions include Italy, the U.K., Germany, and Canada.
CISA has set a December 3, 2025 remediation deadline for Federal Civilian Executive Branch (FCEB) agencies, emphasizing that the vulnerability poses an immediate and severe threat. The agency also added two other actively exploited vulnerabilities, CVE-2025-62215 affecting the Windows kernel and CVE-2025-12480 in Gladinet Triofox to the KEV catalogue. The latter has been linked to threat actor UNC6485, according to Google’s Mandiant Threat Defense team.
Despite the confirmed exploitation of CVE-2025-9242, public details about how attackers are leveraging the flaw remain limited. Security experts warn that silence does not imply low impact; sophisticated threat groups often avoid broad campaigns to preserve operational stealth.
Organisations using WatchGuard Firebox devices should act immediately:
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.