Cybersecurity researchers disclosed details of a critical vulnerability in WatchGuard’s Fireware OS that could allow unauthenticated attackers to execute arbitrary code. The flaw is tracked as CVE-2025-9242 and carries a CVSS score of 9.3, affecting Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1, according to published advisories and analysis.
A technical analysis by watchTowr Labs attributed the flaw to an out-of-bounds write in a function that handles IKEv2 certificate payloads, saying a client identification value is copied into a 520‑byte stack buffer without a proper length check. The researchers published their findings in a detailed write-up at watchTowr Labs, and the vulnerable code runs in the Fireware OS iked process, the analysis said.
Because the vulnerable code executes before certificate validation during the IKE SA AUTH handshake, an attacker can reach the flaw without authenticating, the researchers said. The exploitation window is during the IKE_SA_AUTH phase of the IKEv2 protocol, and security vendor WatchGuard acknowledged the issue in an advisory released last month.
WatchTowr’s analysis noted that although Fireware lacks a standard interactive shell, an attacker who controls the instruction pointer register could spawn a Python interactive shell over TCP by invoking an mprotect() system call, effectively bypassing NX bit protections, a technique described in prior exploitation research at 8ksec. The researchers set out a multi-step path to escalate that foothold into a full Linux shell in some cases.
The disclosure came alongside other watchTowr research highlighting chained risks: the group said a denial-of-service bug in Progress Telerik UI for AJAX (tracked as CVE-2025-3600) could enable remote code execution in certain environments and was addressed by Progress Software in April, according to its knowledge base at Progress Telerik and commentary by Piotr Bazydlo at watchTowr Labs. The group also published research on a critical pre‑authentication command injection in Dell UnityVSA and said Dell remediated that issue after disclosure, watchTowr and Dell’s advisory show, including Dell’s notice of remediation.
WatchGuard said it has released fixes for affected releases – including 2025.1.1, 12.11.4 and other updates – in an advisory and urged customers to apply patches. The original vulnerability write-ups and vendor advisories are publicly available for review, including WatchGuard’s advisory.