关联漏洞
标题:WatchGuard Fireware OS 安全漏洞 (CVE-2025-9242)描述:WatchGuard Fireware OS是美国WatchGuard公司的一个在 Firebox 上运行的软件。 WatchGuard Fireware OS 11.10.2版本至11.12.4_Update1版本、12.0版本至12.11.3版本和2025.1版本存在安全漏洞,该漏洞源于越界写入,可能导致远程未经验证的攻击者执行任意代码。
描述
CVE-2025-9242
介绍
# 🔥 CVE-2025-9242 — Critical WatchGuard Firebox VPN RCE
<img width="1047" height="589" alt="CVE-2025-9242" src="https://github.com/user-attachments/assets/84519a4d-933e-4191-9af8-48dca96e11ba" />
**Remote Unauthenticated Code Execution in Fireware OS (IKEv2)**
**Severity: 9.8 / Critical 🚨**
---
## 🧩 What This Vulnerability Is
* A **remote out-of-bounds write** bug in **Fireware OS’s `iked` process** (IKEv2 VPN engine).
* Allows **unauthenticated attackers on the internet** to **execute arbitrary code** on WatchGuard Firebox appliances.
* Affects **mobile user IKEv2 VPN**, **branch office VPN with dynamic gateway peers**, and sometimes still vulnerable even with **static peers** configured.
---
## 🎯 Attack Surface
* Runs on **UDP 500/4500**, usually publicly exposed for VPN access.
* Exploit requires **no credentials**, no user interaction.
* High-impact RCE → full device takeover → possible network compromise.
---
## 🛑 Affected Fireware OS Versions
📌 **Vulnerable:**
* **11.10.2 – 11.12.4_Update1**
* **12.0 – 12.11.3**
* **2025.1**
📌 **Fixed Versions:**
* **12.11.4**
* **2025.1.1**
* **12.5.13** (T15 & T35)
* **12.3.1_Update3** (FIPS)
---
## 🧠 Technical Breakdown
💥 Vulnerability is caused by unsafe `memcpy()` inside:
* `ike2_ProcessPayload_CERT` — improperly bounds-checked certificate payloads
* Attacker crafts malicious IKEv2 CERT payload → memory corruption → RCE
⚙️ Key characteristics:
* **AV:N / AC:L / PR:N / UI:N**
* **Full confidentiality, integrity, and availability impact**
---
## ⚠️ Why It’s Severe
🔥 Perimeter devices (VPN/firewalls)
🔥 Full system compromise potential
🔥 High-value attack targets
🔥 CISA added it to the **Known Exploited Vulnerabilities (KEV)** list
🔥 Public research & PoC-level descriptions exist
---
## 🛡️ Mitigation & Remediation
### ✅ **Immediate Actions**
* **Update firmware** to the fixed version for your branch.
* **Disable IKEv2 VPN** temporarily if patching is not possible.
* **Restrict VPN exposure** (geo/IP allowlist, upstream firewall rules).
* **Audit logs** for unusual IKEv2 negotiations or repeated CERT payloads.
### 🔍 Detection Checklist
* Strange rekeying patterns
* Large or malformed CERT payloads
* Crashes or restarts of `iked`
* Unexpected outbound connections from the firewall
---
## 🗂️ What to Verify on Your Devices
✔ Fireware OS version
✔ Whether IKEv2 is enabled (mobile/branch office)
✔ If any **dynamic gateway peers** exist
✔ If port **UDP 500/4500** is internet-exposed
✔ Patch status
✔ Log anomalies
✔ Device integrity / configuration tampering
---
## 📚 Additional Notes
* Some devices **remain vulnerable even after removing IKEv2 Mobile VPN** — because **branch office IKEv2 peers** still trigger the vulnerable code path.
* Firebox appliances are widespread across SMEs → large potential exposure.
* Public scanning shows many unpatched devices.
* A publicly available **detection script** exists; functional exploit code may surface.
---
文件快照
[4.0K] /data/pocs/e33ef18e246cb1d48cf6013eff900ea217de05eb
└── [3.0K] README.md
1 directory, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。