71,000+ WatchGuard Devices Vulnerable to Remote Code Execution Attacks
Shadowserver reports more than 71,000 internet-exposed WatchGuard Fireware devices vulnerable to CVE-2025-9242, a critical (CVSS 9.8) out-of-bounds write in IKEv2 that can lead to unauthenticated remote code execution. Although patches have been available since March 2025, the large number of exposed instances indicates lagging remediation, leaving perimeter firewalls open to takeover and lateral movement into internal networks.
CORTEX Protocol Intelligence Assessment
Business Impact: Edge device compromise enables complete network penetration and ransomware staging; managed VPN access is at risk. Technical Context: IKEv2 processing flaw leads to memory corruption and RCE over ISAKMP; internet-wide scanning is ongoing.
Strategic Intelligence Guidance
- Upgrade Fireware OS to 12.10.3+ and disable IKEv2 if not required.
- Filter ISAKMP at perimeter and restrict management access to known IPs.
- Continuously monitor for anomalous VPN events and configuration changes.
- Leverage Shadowserver/Shodan telemetry to validate exposure.
CVEs
Vendors
Threats
Targets
Intelligence Source: 71,000+ WatchGuard Devices Vulnerable to Remote Code Execution Attacks | Oct 21, 2025