A deep-dive into CVE-2025-9242, a critical (CVSS4.0 9.3) stack-based buffer overflow in WatchGuard Fireware OS's IKEv2 implementation. The vulnerability exists in the `ike2_ProcessPayload_CERT` function, where an attacker-controlled identification buffer is copied into a fixed 520-byte stack buffer without length validation. Exploitable pre-authentication via two IKEv2 packets (IKE_SA_INIT + IKE_SA_AUTH), it allows remote code execution on internet-exposed Firebox appliances. The analysis covers patch diffing between versions 12.11.3 and 12.11.4, IKEv2 protocol mechanics, version fingerprinting via a custom base64-encoded Vendor ID payload, and a full ROP chain exploit that spawns a reverse Python shell as root. Notably, the firmware lacks PIE, stack canaries, and even /bin/sh, requiring a custom mprotect-based ROP chain. A detection artefact generator has been published on GitHub.
Table of contents
Who is WatchGuard and what is Fireware OSWhat is CVE-2025-9242Patch Diffing - CVE-2025-9242IKEv2, A PrimerPart 1 - IKE_SA_INITPart 2 - IKE_SA_AUTHVersion FingerprintingTriggering The OverflowIt's Hammer Time - ROP, Shell, JumpDetection Artefact GeneratorGain early access to our research, and understand your exposure, with the watchTowr PlatformSort: