Overview
- CISA said CVE-2025-9242 enables unauthenticated remote code execution via an out-of-bounds write in Fireware’s iked process and confirmed active exploitation.
- The vulnerability affects Fireware OS 11.10.2–11.12.4_Update1, 12.0–12.11.3, and 2025.1, with vendor fixes released on September 17.
- Shadowserver observed just over 54,300 internet-exposed Firebox devices still vulnerable as of November 12, including about 18,500 in the U.S.
- WatchTowr Labs attributed the bug to a missing length check reachable during the IKEv2 handshake pre-authentication, though no detailed public exploit method has been shared.
- Under BOD 22-01, FCEB agencies must remediate by December 3, and CISA simultaneously added Windows CVE-2025-62215 and Gladinet Triofox CVE-2025-12480 to KEV, with Mandiant tying exploitation of the latter to UNC6485.