WatchGuard Firebox iked Out of Bounds Write Vulnerability

Updated 19 December 2025: Updated to clarify the significance of outbound vs inbound connections involving the IP addresses listed under the Indicators of Attack
An Out-of-bounds Write vulnerability in the WatchGuard Fireware OS iked process may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.
If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured.
WatchGuard has observed threat actors actively attempting to exploit this vulnerability in the wild.

Indicators of Attack

We are providing the following Indicators of Attack (IoAs) to help device owners identify potential attempts to exploit this vulnerability against vulnerable Firebox appliances. These IoAs are only applicable on devices that lack the resolution described later in this advisory.

IP Addresses

The following IP addresses are directly associated with known threat actor activity. Outbound connections to these IPs are a strong indicator of compromise. Inbound connections from these IPs could indicate reconnaissance efforts or exploit attempts.

• 45.95.19[.]50
• 51.15.17[.]89
• 172.93.107[.]67
• 199.247.7[.]82

Logs

Invalid peer certificate chain

With the iked diagnostic logging set to the default error logging level, the iked process generates a log message when the Firebox receives an IKE2 Auth payload with more than 8 certificates. This is a medium indicator of attack that the WatchGuard Threat Lab has observed associated with some threat actor activity.
1970-01-01 01:00:00 2025 Firebox-Name local3.err iked[2938]: (203.0.113.1<->203.0.113.2) Received peer certificate chain is longer than 8. Reject this certificate chain

Abnormally large IKE_AUTH request CERT payload

With the iked diagnostic logging set to the info logging level, the iked process generates a log message when the Firebox receives an IKE_AUTH request message. An IKE_AUTH request log message with an abnormally large CERT payload size (greater than 2000 bytes) is a strong indicator of an attack. This is a strong indicator of attack.
1970-01-01 01:00:00 iked (203.0.113.1<->203.0.113.2)"IKE_AUTH request" message has 6 payloads [ IDi(sz=21) CERT(sz=3000) SA(sz=44) TSi(sz=24) TSr(sz=24) N(sz=8)]

Device Behavior

IKE process hang

During a successful exploit, the IKED process (responsible for handling IKE negotiations) will hang, interrupting VPN tunnel negotiations and re-keys. This is a strong indicator of attack. Existing tunnels may continue to pass traffic.

IKE process crash

After a failed or successful exploit, the IKED process will crash and generate a fault report on the Firebox. Be aware, there are other situations that could cause the IKED process to crash. This is a weak indicator of attack.