Article Details
Scrape Timestamp (UTC): 2025-11-13 07:24:10.960
Source: https://thehackernews.com/2025/11/cisa-flags-critical-watchguard-fireware.html
Original Article Text
Click to Toggle View
CISA Flags Critical WatchGuard Fireware Flaw Exposing 54,000 Fireboxes to No-Login Attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting WatchGuard Fireware to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability in question is CVE-2025-9242 (CVSS score: 9.3), an out-of-bounds write vulnerability affecting Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1. "WatchGuard Firebox contains an out-of-bounds write vulnerability in the OS iked process that may allow a remote unauthenticated attacker to execute arbitrary code," CISA said in an advisory. Details of the vulnerability were shared by watchTowr Labs last month, with the cybersecurity company stating that the issue stems from a missing length check on an identification buffer used during the IKE handshake process. "The server does attempt certificate validation, but that validation happens after the vulnerable code runs, allowing our vulnerable code path to be reachable pre-authentication," security researcher McCaulay Hudson noted. There are currently no details on how the security defect is being exploited and what's the scale of such efforts. According to data from the Shadowserver Foundation, more than 54,300 Firebox instances remain vulnerable to the critical bug as of November 12, 2025, down from a high of 75,955 on October 19. Roughly 18,500 of these devices are in the U.S., the scans reveal. Italy (5,400), the U.K. (4,000), Germany (3,600), and Canada (3,000) round up the top five. Federal Civilian Executive Branch (FCEB) agencies are advised to apply WatchGuard's patches by December 3, 2025. The development comes as CISA also added CVE-2025-62215 (CVSS score: 7.0), a recently disclosed flaw in Windows kernel, and CVE-2025-12480 (CVSS score: 9.1), an improper access control vulnerability in Gladinet Triofox, to the KEV catalog. Google's Mandiant Threat Defense team has attributed the exploitation of CVE-2025-12480 to a threat actor it tracks as UNC6485.
Daily Brief Summary
CISA added a critical vulnerability in WatchGuard Fireware to its Known Exploited Vulnerabilities catalog due to active exploitation, affecting over 54,000 Firebox devices globally.
The flaw, identified as CVE-2025-9242 with a CVSS score of 9.3, involves an out-of-bounds write in the OS iked process, allowing unauthenticated remote code execution.
A missing length check during the IKE handshake process is the root cause, making the vulnerable code accessible before authentication, as noted by security researcher McCaulay Hudson.
More than 18,500 vulnerable devices are located in the U.S., with significant numbers also in Italy, the U.K., Germany, and Canada, according to Shadowserver Foundation data.
Federal Civilian Executive Branch agencies are urged to implement WatchGuard's patches by December 3, 2025, to mitigate potential risks.
The vulnerability's inclusion in CISA's catalog coincides with the addition of other critical flaws, such as a Windows kernel issue and a Gladinet Triofox access control vulnerability.
This development serves as a reminder of the importance of timely patch management to prevent exploitation of known security flaws.