{“lastseen”:”2025-10-17T09:37:04″,”description”:”\\n\\nCybersecurity researchers have disclosed details of a recently patched critical security flaw in WatchGuard Fireware that could allow unauthenticated attackers to execute arbitrary code.\\n\\nThe vulnerability, tracked as CVE-2025-9242 (CVSS score: 9.3), is described as an out-of-bounds write vulnerability affecting Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.\\n\\n\\”An out-of-bounds write vulnerability in the WatchGuard Fireware OS iked process may allow a remote unauthenticated attacker to execute arbitrary code,\\” WatchGuard said in an advisory released last month. \\”This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.\\”\\n\\nIt has been addressed in the following versions -\\n\\n * 2025.1 – Fixed in 2025.1.1\\n * 12.x – Fixed in 12.11.4\\n * 12.3.1 (FIPS-certified release) – Fixed in 12.3.1_Update3 (B722811)\\n * 12.5.x (T15 \\u0026 T35 models) – Fixed in 12.5.13)\\n * 11.x – Reached end-of-life\\n\\n\\n\\n\\n\\nA new analysis from watchTowr Labs has described CVE-2025-9242 as \\”all the characteristics your friendly neighbourhood ransomware gangs love to see,\\” including the fact that it affects an internet-exposed service, is exploitable sans authentication, and can execute arbitrary code on a perimeter appliance.\\n\\nThe vulnerability, per security researcher McCaulay Hudson, is rooted in the function \\”ike2_ProcessPayload_CERT\\” present in the file \\”src\/ike\/iked\/v2\/ike2_payload_cert.c\\” that’s designed to copy a client \\”identification\\” to a local stack buffer of 520 bytes, and then validate the provided client SSL certificate.\\n\\nThe issue arises as a result of a missing length check on the identification buffer, thereby allowing an attacker to trigger an overflow and achieve remote code execution during the IKE_SA_AUTH phase of the handshake process used to establish a virtual private network (VPN) tunnel between a client and WatchGuard’s VPN service via the IKE key management protocol.\\n\\n\\”The server does attempt certificate validation, but that validation happens after the vulnerable code runs, allowing our vulnerable code path to be reachable pre-authentication,\\” Hudson said.\\n\\nWatchTowr noted that while WatchGuard Fireware OS lacks an interactive shell such as \\”\/bin\/bash,\\” it’s possible to for an attacker to weaponize the flaw and gain control of the instruction pointer register (aka RIP or program counter) to ultimately spawn a Python interactive shell over TCP by leveraging an mprotect() system call, effectively bypassing NX bit (aka no-execute bit) mitigations.\\n\\nOnce the remote Python shell, the foothold can be escalated further through a multi-step process to obtain a full Linux shell -\\n\\n * Directly executing execve within Python in order to remount the filesystem as read\/write\\n * Downloading a BusyBox busybox binary onto the target\\n * Symlinking \/bin\/sh to the BusyBox binary\\n\\n\\n\\nThe development comes as watchTowr demonstrated that a now-fixed denial-of-service (DoS) vulnerability impacting Progress Telerik UI for AJAX (CVE-2025-3600, CVSS score: 7.5) can also enable remote code execution depending on the targeted environment. The vulnerability was addressed by Progress Software on April 30, 2025.\\n\\n\\n\\n\\”Depending on the target codebase \u2013 for example, the presence of particular no-argument constructors, finalizers, or insecure assembly resolvers \u2013 the impact can escalate to remote code execution,\\” security researcher Piotr Bazydlo said.\\n\\nEarlier this month, watchtower’s Sina Kheirkhah also shed light on a critical pre-authenticated command injection flaw in Dell UnityVSA (CVE-2025-36604, CVSS score: 9.8\/7.3) that could result in remote command execution. Dell remediated the vulnerability in July 2025 following responsible disclosure on March 28.\\n\\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\\n”,”published”:”2025-10-17T09:25:00″,”modified”:”2025-10-17T09:25:00″,”type”:”thn”,”title”:”Researchers Uncover WatchGuard VPN Bug That Could Let Attackers Take Over Devices”,”source”:””,”references”:””,”id”:”THN:15DCFEE23071E302722C25BEEC2A0AEA”,”bulletinFamily”:”info”,”cwe”:null,”cvelist”:[“CVE-2025-3600″,”CVE-2025-36604″,”CVE-2025-9242″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/thehackernews.com\/2025\/10\/researchers-uncover-watchguard-vpn-bug.html”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-17T09:37:04″,”description”:”\\n\\nCybersecurity researchers have disclosed details of a recently patched critical security flaw in WatchGuard Fireware that could allow unauthenticated attackers to execute arbitrary code.\\n\\nThe vulnerability,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[9,6,8,35,12,13,7,11,43,5],"class_list":["post-22198","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n