The cybersecurity community has raised a serious alarm following the recent daily reporting of vulnerable WatchGuard devices impacted by a major security flaw.
According to new data published, security researchers at Shadowserver observed over 71,000 WatchGuard devices part of a global exposure that could allow remote code execution attacks.
This surge in exposure heightens the urgency for organizations to patch and secure their network infrastructure immediately.
Massive Exposure Linked to CVE-2025-9242
The vulnerability in question, tracked as CVE-2025-9242, affects WatchGuard Fireware OS and is related to an Out-of-Bounds Write in the IKEv2 ISAKMP component.
This flaw enables remote attackers to execute arbitrary code on unpatched devices simply by sending specially crafted network packets.
Shadowserver’s extensive internet scanning efforts revealed that these weaknesses are widespread, with over 71,000 exposed WatchGuard Fireware OS devices across multiple sectors and geographies.
The vulnerable surface consists largely of firewall appliances and VPN gateways commonly deployed in organizations to secure remote access.
The scale of the discovery not only underlines the popularity of WatchGuard products but also signals a significant attack surface for cybercriminals to exploit.
| CVE Details | Information |
|---|---|
| CVE ID | CVE-2025-9242 |
| Affected Product | WatchGuard Fireware OS |
| Vulnerability Type | Out-of-Bounds Write |
| Affected Component | IKEv2 ISAKMP |
| CVSS 3.1 Score | 9.8 (Critical) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Impact | Remote Code Execution (RCE) |
| Exposed Devices | 71,000+ |
| Discovery Date | October 18, 2025 |
| Reported By | Shadowserver |
Shadowserver began tracking and sharing live daily data on compromised IPs associated with CVE-2025-9242.
Their reporting uses active scanning to identify vulnerable WatchGuard Fireware OS systems visible on the Internet.
Each day, organizations and network administrators receive fresh intelligence on exposed assets, allowing them to take immediate action.
The daily figures serve as both a warning and a call to action. In their recent reporting, over 71,000 vulnerable instances were confirmed on a single day.
The numbers reveal a persistent lack of patching and general delay in remediation by many organizations, despite clear public advisories.
Exposed WatchGuard devices are at heightened risk of remote attacks, including full system compromise, data theft, or disruption of business operations.
Experts strongly urge IT teams to patch all affected systems running WatchGuard Fireware OS and verify that no unauthorized access has already occurred.
This incident highlights the ongoing need for continuous vulnerability management, proactive security monitoring, and the value of shared threat intelligence provided by platforms like Shadowserver.
Quick intervention and ongoing vigilance will be critical to defending enterprise perimeters against attackers exploiting CVE-2025-9242-linked weaknesses.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1)%20(1).webp?resize=1600,900&ssl=1&description=According to new data published, security researchers at Shadowserver observed over 71,000 WatchGuard devices part of a global exposure.){kind=link}