WatchGuard VPN Vulnerability Let Remote Attacker Execute Arbitrary Code
WatchGuard has disclosed a critical out-of-bounds write vulnerability in its Fireware OS, enabling remote unauthenticated attackers to execute arbitrary code via IKEv2 VPN connections.
An attacker can send crafted IKE_SA_INIT and IKE_SA_AUTH packets to trigger an out-of-bounds write in the ike2_ProcessPayload_CERT function, where attacker-controlled identification data overflows a 520-byte stack buffer without sufficient bounds checking.
Exploiting CVE-2025-9242 involves fingerprinting the firmware version via a custom Vendor ID payload in IKE_SA_INIT responses, which embeds base64-encoded details like “VN=12.11.3 BN=719894” for easy identification.
WatchTowr demonstrated remote code execution by chaining gadgets to invoke mprotect for stack execution, deploying reverse TCP shellcode that spawns a root Python interpreter, potentially enabling filesystem remounts or BusyBox downloads for full shell access.
To read the complete article see: