The Shadowserver Basis has uncovered greater than 71,000 internet-exposed WatchGuard gadgets operating susceptible variations of Fireware OS.
The flaw, tracked as CVE-2025-9242, stems from an out-of-bounds write vulnerability within the IKEv2 implementation, doubtlessly permitting distant attackers to execute arbitrary code with out authentication.
Disclosed earlier this 12 months, the problem highlights the risks of unpatched firewalls in enterprise environments, the place such gadgets usually function the primary line of protection in opposition to cyber threats.
Safety researchers first flagged CVE-2025-9242 in WatchGuard’s Fireware OS variations previous to 12.10.3, affecting a variety of the corporate’s widespread firewall fashions, together with the Firebox T-series and M-series home equipment.
The vulnerability arises through the processing of IKEv2 packets, the place improper bounds checking can result in reminiscence corruption. Attackers may exploit this remotely over the web, doubtlessly gaining full management of the system and pivoting to inside networks.
Whereas WatchGuard launched patches in March 2025, the sheer variety of uncovered situations suggests many organizations have but to use them, leaving essential infrastructure in danger.
WatchGuard Units Uncovered
The Shadowserver Basis, a nonprofit devoted to scanning for web vulnerabilities, started sharing every day IP knowledge on affected WatchGuard gadgets this week.
We are actually sharing every day IP knowledge on WatchGuard Fireware OS IKEv2 Out-of-Bounds Write CVE-2025-9242 susceptible situations, with over 71 000 seen on 2025-10-18. Knowledge shared in our Weak ISAKMP reportings – High affected: US with 23.2K situations pic.twitter.com/dclXvC56jE— The Shadowserver Basis (@Shadowserver) October 19, 2025
Their October 18, 2025, report recognized over 71,000 susceptible hosts worldwide, a determine that underscores the worldwide scale of the issue. These scans give attention to ISAKMP (Web Safety Affiliation and Key Administration Protocol) visitors, the spine of VPN connections, the place the IKEv2 flaw resides.
Shadowserver’s knowledge, obtainable via their Weak ISAKMP reporting portal, contains anonymized IP addresses to assist community defenders determine and remediate their very own exposures.
Consultants warn that exploiting CVE-2025-9242 may allow devastating assaults, resembling ransomware deployment or knowledge exfiltration, particularly in sectors like healthcare and finance that rely closely on WatchGuard {hardware}.
The CVSS v3.1 base rating of 9.8 charges it as essential, emphasizing its ease of exploitation no person interplay required. Shadowserver famous a slight uptick in susceptible gadgets since preliminary disclosures, presumably because of newly deployed or misconfigured programs.
WatchGuard urges fast updates to Fireware OS 12.10.3 or later, alongside disabling IKEv2 if not important. Cybersecurity corporations like Rapid7 and Tenable have echoed these suggestions, advising organizations to audit their perimeters utilizing instruments like Shodan or Shadowserver’s feeds.
As risk actors more and more goal community edges amid rising geopolitical tensions, this incident serves as a wake-up name. With over 71,000 gadgets within the crosshairs, proactive protection stays the one protect in opposition to potential chaos.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to characteristic your tales.
