The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw impacting WatchGuard Fireware to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
WatchGuard RCE Vulnerability
The vulnerability, tracked as CVE-2025-9242 (CVSS score 9.3), is an out-of-bounds write flaw in the Fireware OS iked process. This issue allows a remote unauthenticated attacker to execute arbitrary code on WatchGuard Firebox appliances.
Security researchers first shared details on the flaw last month, explaining that the issue stems from a missing length check on an identification buffer used during the IKE handshake process. The vulnerable code is accessible before certificate validation or authentication occurs.
While the specifics and scale of the ongoing exploitation are currently unknown, data from the Shadowserver Foundation indicates that over 54,300 Firebox instances worldwide remained vulnerable as of November 12, 2025. Roughly 18,500 of these vulnerable devices are located in the U.S.
Federal Civilian Executive Branch (FCEB) agencies are mandated to apply WatchGuard’s patches by December 3, 2025.
Other KEV Additions
In addition to the WatchGuard flaw, CISA also added two other actively exploited vulnerabilities to the KEV catalog: CVE-2025-62215, a recently disclosed flaw in the Windows kernel, and CVE-2025-12480, an improper access control vulnerability in Gladinet Triofox. The exploitation of the Triofox flaw has been attributed to the threat actor tracked as UNC6485.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
