Ethical Hacking News
U.S. CISA adds WatchGuard Firebox, Microsoft Windows, and Gladinet Triofox flaws to its Known Exploited Vulnerabilities catalog. These critical vulnerabilities pose significant risks to organizations if not addressed promptly. Experts warn that remote code execution on a perimeter device, exposure via a public-facing VPN service, and pre-auth exploitability make these bugs highly attractive targets for ransomware actors.
CISA has added three new vulnerabilities to its KEV catalog: CVE-2025-9242, CVE-2025-62215, and CVE-2025-12480. The WatchGuard Firebox, Microsoft Windows, and Gladinet Triofox are affected by these vulnerabilities. CVE-2025-9242 allows remote unauthenticated attackers to execute arbitrary code on a perimeter appliance. CVE-2025-62215 allows authorized attackers to elevate privileges locally using concurrent execution with shared resources. CVE-2025-12480 allows attackers to create a new admin account during the setup process, bypassing authentication. Experts warn that these vulnerabilities pose significant risks to organizations if not addressed promptly. The U.S. CISA has ordered federal agencies to fix these vulnerabilities by December 3, 2025.
Cybersecurity experts are sounding the alarm as three critical vulnerabilities have been added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog. The WatchGuard Firebox, Microsoft Windows, and Gladinet Triofox flaws pose significant risks to organizations that fail to patch their systems in a timely manner.
The first vulnerability, CVE-2025-9242, is an out-of-bounds write issue affecting the WatchGuard Fireware OS versions 11.10.2–11.12.4_Update1, 12.0–12.11.3, and 2025.1. According to watchTowr researchers, this vulnerability allows remote unauthenticated attackers to execute arbitrary code on a perimeter appliance by targeting the IKEv2 VPN service, an Internet-exposed entry point. This bug ticks all the boxes that ransomware actors crave: remote code execution on a perimeter device, exposure via a public-facing VPN service, and pre-auth exploitability.
In addition to WatchGuard Firebox, Microsoft Windows has also been affected by a race condition vulnerability, CVE-2025-62215. This vulnerability (CVSS score of 7) allows an authorized attacker to elevate privileges locally using concurrent execution with shared resources and improper synchronization. According to Microsoft, this vulnerability is currently under active attack.
The third vulnerability added to the KEV catalog is a Gladinet Triofox Improper Access Control Vulnerability, tracked as CVE-2025-12480. This flaw was previously exploited by threat actors who bypassed authentication to upload and run remote access tools via the platform's antivirus feature. Google's Mandiant researchers have been tracking the ongoing exploitation of this vulnerability, which allows attackers to create a new admin account during the setup process.
Experts warn that these vulnerabilities pose significant risks to organizations if not addressed promptly. The U.S. CISA has ordered federal agencies to fix these vulnerabilities by December 3, 2025. Private organizations are also advised to review the KEV catalog and address the vulnerabilities in their infrastructure.
"CISA is urging all federal civilian agency customers, contractors, and organizations that use software and hardware that uses this vulnerability for an immediate patch on the vulnerabilities listed," says a statement from CISA. "We advise all other organizations to conduct a vulnerability scan as soon as possible."
In light of these critical vulnerabilities, it is essential for organizations to prioritize security and take proactive measures to protect themselves against potential attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Exploiting-Critical-Vulnerabilities-WatchGuard-Firebox-Microsoft-Windows-and-Gladinet-Triofox-Flaws-Exposed-by-Threat-Actors-ehn.shtml
Published: Thu Nov 13 06:48:24 2025 by llama3.2 3B Q4_K_M
