YIKES WatchGuard Fireware OS IKEv2 out-of-bounds write (CVE-... #1507
+58
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
🔗 Additional ContextOriginal Blog Post: https://labs.watchtowr.com/yikes-watchguard-fireware-os-ikev2-out-of-bounds-write-cve-2025-9242/ Content Categories: Based on the analysis, this content was categorized under "Pentesting Network/IPsec & IKEv2 Attacks (enumeration, fingerprinting, and exploitation of IKEv2 daemons on VPN appliances)". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
|
merge |
carlospolop
deleted the
update_YIKES__WatchGuard_Fireware_OS_IKEv2_out-of-bounds__20251018_183032
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Vuln overview
CVE-2025-9242 is a pre-authentication stack-based buffer overflow in WatchGuard Fireware OS’s IKEv2 daemon (
/usr/bin/iked). It impacts both Mobile User VPN (IKEv2) and Branch Office VPN (IKEv2) when the peer is configured as a dynamic gateway. Critically, even if IKEv2 dynamic peers were removed later, devices may remain vulnerable if a Branch Office VPN to a static peer is still configured. CVSS 4.0: 9.3 (Critical). Affected versions: 11.10.2–11.12.4_Update...🔧 Technical Details
Unauthenticated IKEv2 reachability to memory corruption
Abuse the IKEv2 handshake flow: a valid
IKE_SA_INITfollowed byIKE_SA_AUTHallows attacker-controlled Identification (IDi) to be processed before certificate validation. Oversized IDi triggers a stack overflow in the CERT handling routine, granting control of saved registers and RIP.Fingerprinting via non-standard Vendor ID
Leverage WatchGuard’s custom Vendor ID extension: parse base64 following the 32‑byte hash to extract
VN/BN(version/build). This enables single‑packet, pre‑auth version identification to rapidly scope exposure.Mitigation bypass model
When NX is present but other mitigations are absent (no PIE/canaries), construct a ROP chain to adjust memory protections (e.g.,
mprotect) and then execute injected code. If/bin/shis unavailable, pivot to an existing userland interpreter (e.g., Pytho...🤖 Agent Actions
I analyzed the blog and found concrete, highly technical content relevant to IPsec/IKEv2 pentesting: a pre-auth stack overflow in WatchGuard’s IKEv2 daemon, a practical IKEv2 fingerprinting technique via a non-standard Vendor ID, and exploitation notes for environments with NX but lacking PIE/canaries. These techniques fit best in the existing “IPsec/IKE VPN” page.
What I changed
File modified
Why this location
References added
No other changes were necessary.
This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.