Based on evidence of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a significant security vulnerability affecting WatchGuard Fireware to its Known Exploited Vulnerabilities (KEV) list.

The vulnerability in question is CVE-2025-9242 (CVSS score: 9.3), an out-of-bounds write vulnerability that affects Fireware OS versions 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.3, and 2025.1.

“WatchGuard Firebox contains an out-of-bounds write vulnerability in the OS liked process that may allow a remote unauthenticated attacker to execute arbitrary code,”

CISA said in an advisory.

Last month, watchTowr Labs disclosed the vulnerability’s specifics. According to the cybersecurity firm, the problem is caused by a missing length check on an identifying buffer that is utilized during the IKE handshake procedure.

“The server does attempt certificate validation, but that validation happens after the vulnerable code runs, allowing our vulnerable code path to be reachable pre-authentication.”

Security researcher McCaulay Hudson noted.

As of right now, no information is available regarding the extent to which the security flaw is being exploited. As of November 12, 2025, about 54,300 Firebox instances are still susceptible to the catastrophic flaw, according to data from the Shadowserver Foundation. This number has decreased from a peak of 75,955 on October 19.

The scans show that there are about 18,500 of these devices in the United States. The top five are Italy (5,400), the United Kingdom (4,000), Germany (3,600), and Canada (3,000). It is recommended that Federal Civilian Executive Branch (FCEB) entities implement WatchGuard’s patches by December 3, 2025.