The flaw, tracked as CVE-2025-9242, stems from an out-of-bounds write vulnerability in the IKEv2 implementation, potentially allowing remote attackers to execute arbitrary code without authentication.
Disclosed earlier this year, the issue highlights the dangers of unpatched firewalls in enterprise environments, where such devices often serve as the first line of defense against cyber threats.
Security researchers first flagged CVE-2025-9242 in WatchGuard’s Fireware OS versions prior to 12.10.3, affecting a wide range of the company’s popular firewall models, including the Firebox T-series and M-series appliances.
The vulnerability arises during the processing of IKEv2 packets, where improper bounds checking can lead to memory corruption. Attackers could exploit this remotely over the internet, potentially gaining full control of the device and pivoting to internal networks.
While WatchGuard released patches in March 2025, the sheer number of exposed instances suggests many organizations have yet to apply them, leaving critical infrastructure at risk.
The Shadowserver Foundation, a nonprofit dedicated to scanning for internet vulnerabilities, began sharing daily IP data on affected WatchGuard devices this week.
Their October 18, 2025, report identified over 71,000 vulnerable hosts worldwide, a figure that underscores the global scale of the problem. These scans focus on ISAKMP (Internet Security Association and Key Management Protocol) traffic, the backbone of VPN connections, where the IKEv2 flaw resides.
Shadowserver’s data, available through their Vulnerable ISAKMP reporting portal, includes anonymized IP addresses to help network defenders identify and remediate their own exposures.
Experts warn that exploiting CVE-2025-9242 could enable devastating attacks, such as ransomware deployment or data exfiltration, especially in sectors like healthcare and finance that rely heavily on WatchGuard hardware.
The CVSS v3.1 base score of 9.8 rates it as critical, emphasizing its ease of exploitation no user interaction required. Shadowserver noted a slight uptick in vulnerable devices since initial disclosures, possibly due to newly deployed or misconfigured systems.
WatchGuard urges immediate updates to Fireware OS 12.10.3 or later, alongside disabling IKEv2 if not essential. Cybersecurity firms like Rapid7 and Tenable have echoed these recommendations, advising organizations to audit their perimeters using tools like Shodan or Shadowserver’s feeds.
As threat actors increasingly target network edges amid rising geopolitical tensions, this incident serves as a wake-up call. With over 71,000 devices in the crosshairs, proactive defense remains the only shield against potential chaos.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post 71,000+ WatchGuard Devices Vulnerable to Remote Code Execution Attacks appeared first on Cyber Security News.
Are you the one? | Photo: Antonio G. Di Benedetto / The Verge My first…
A lawsuit filed on Wednesday accuses Google's Gemini AI chatbot of trapping 36-year-old Jonathan Gavalas…
The Google Pixel 10 is $200 off, bringing it closer in price to the Pixel…
Rocketlane has launched what it claims is the first agentic execution platform for professional services.…
While businesses race to deploy AI in 2026, 84% are failing before they even start.…
Sasol, a global chemicals and energy company, has migrated its Java estate from Oracle to…
This website uses cookies.